<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">

  <meta name="description" content="AWS IAM Policy Audit Report">
  <meta name="author" content="Kinnaird McQuade">
  <title>Cloudsplaining: AWS IAM Policy Audit Report</title>

  <!--Bootstrap theme-->
  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css"
        integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">

  <!--Data Tables-->
  <link rel="stylesheet" href="https://cdn.datatables.net/1.10.20/css/jquery.dataTables.min.css"
        crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdn.datatables.net/select/1.3.1/css/select.dataTables.min.css"
      crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdn.datatables.net/buttons/1.6.2/css/buttons.dataTables.min.css"
        crossorigin="anonymous">


  <!--Custom CSS-->
  <style>
    .nav li {
      float: left;
    }

    .navbar {
      border-radius: 10px;
      font-size: 1em;
    }

    body {
      position: relative;
    }
    div.customer-managed-table {
      word-wrap: break-word;
    }
    div.aws-managed-table {
      word-wrap: break-word;
    }
    div.principals-table {
      word-wrap: break-word;
    }
  </style>

</head>

<body>
<!------------------>
<!-- Row          -->
<!------------------>
<div class="row" style="font-size: 90%">
  <!--------------->
  <!-- Container -->
  <!--------------->
  <div class="container">
    <!------------------>
    <!-- Navbar -->
    <!------------------>
    <nav id="navbar" class="navbar navbar-expand-sm sticky-top navbar-light bg-light">

      <div class="navbar nav nav-tabs" id="nav-tab" role="tablist">
        <div class="navbar-header">
          <a class="navbar-brand" href="#">Cloudsplaining</a>
        </div>
        <ul class="nav nav-tabs">
          <li class="nav-item">
            <a class="nav-item nav-link active" id="nav-summary-tab" data-toggle="tab" href="#nav-summary" role="tab" aria-controls="nav-summary" aria-selected="true">Summary</a>
          </li>
          <li class="nav-item">
            <a class="nav-item nav-link" id="nav-customer-managed-tab" data-toggle="tab" href="#nav-customer-managed" role="tab" aria-controls="nav-customer-managed" aria-selected="false">Customer policies</a>
          </li>
          <li class="nav-item">
            <a class="nav-item nav-link" id="nav-aws-managed-tab" data-toggle="tab" href="#nav-aws-managed" role="tab" aria-controls="nav-aws-managed" aria-selected="false">AWS policies</a>
          </li>
          <li class="nav-item">
            <a class="nav-item nav-link" id="nav-principals-tab" data-toggle="tab" href="#nav-principals" role="tab" aria-controls="nav-principals" aria-selected="false">IAM Principals</a>
          </li>
          <!--GUIDANCE DROPDOWN-->
          <li class="nav-item dropdown">
            <a class="nav-link dropdown-toggle" id="nav-guidance-tab" data-toggle="dropdown" href="#" role="button" aria-haspopup="true" aria-expanded="false">Guidance</a>
            <div class="dropdown-menu">
              <!--Triage Guidance-->
              <a class="dropdown-item" href="#triage-guidance"><b>Triaging</b></a>
              <a class="dropdown-item" href="#triage-understanding-context">Context</a>
              <a class="dropdown-item" href="#triage-assessment-recap">Assessment Recap</a>
              <a class="dropdown-item" href="#triage-triaging-workflow">Triaging Workflow</a>
              <a class="dropdown-item" href="#triage-triaging-considerations">Triaging Considerations</a>
              <a class="dropdown-item" href="#triage-common-false-positive-scenarios">Common False Positive Scenarios</a>
              <a class="dropdown-item" href="#triage-building-the-exclusions-file">Building the Exclusions File</a>
              <div class="dropdown-divider"></div>
              <!--Remediation Guidance-->
              <a class="dropdown-item" href="#remediation-guidance"><b>Remediation</b></a>
              <a class="dropdown-item" href="#remediation-prioritization">Prioritization</a>
              <a class="dropdown-item" href="#remediation-technical-remediation">Technical Remediation</a>
              <div class="dropdown-divider"></div>
              <!--Validation Guidance-->
              <a class="dropdown-item" href="#validation-guidance"><b>Validation</b></a>
              <a class="dropdown-item" href="#validation-using-cloudsplaining">Using Cloudsplaining</a>
              <a class="dropdown-item" href="#validation-using-parliament">Using Parliament</a>
            </div>
          </li>
          <!--APPENDICES DROPDOWN-->
          <li class="nav-item dropdown">
            <a class="nav-link dropdown-toggle" id="nav-appendices-tab" data-toggle="dropdown" href="#" role="tab" aria-haspopup="true" aria-expanded="false">Appendices</a>
            <div class="dropdown-menu">
              <a class="dropdown-item" href="#appendices"><b>Appendix</b></a>
              <a class="dropdown-item" href="#glossary">Glossary</a>
              <a class="dropdown-item" href="#exclusions">Exclusions Configuration</a>
              <a class="dropdown-item" href="#references">References</a>
            </div>
          </li>
          <li class="nav-item">
            <button type="button" class="btn btn-outline-secondary" id="collapseAccordion">
              <span class="glyphicon glyphicon-collapse-down"></span>Collapse
            </button>
          </li>
          <li class="nav-item">
            <button type="button" class="btn btn-outline-secondary" id="expandAccordion">
              <span class="glyphicon glyphicon-collapse-up"></span>Expand
            </button>
          </li>
        </ul><!--/end navbar list-->
      </div><!-- /end navbar container -->
    </nav><!-- /end navbar -->

    <!--CONTENT-->
    <!--TAB CONTENT-->
    <!-- Title section -->
    <div class="row">
      <div class="col-md-12">
        <div data-spy="scroll" data-target="#navbar" data-offset="50">
        <div class="tab-content" id="nav-tabContent">

          <!--EXECUTIVE SUMMARY TAB-->
          <div class="tab-pane fade show active" id="nav-summary" role="tabpanel" aria-labelledby="nav-summary-tab">
            <br>
            <h4>Report metadata</h4>
            <ul>
              <li>Account: fake (000011112222)</li>
              <li>Report Generated: 2020-05-16</li>
              <li>Cloudsplaining version: <a href="https://github.com/salesforce/cloudsplaining/releases">0.1.2</a></li>
            </ul>
            <br>
            <!--Executive Summary-->
            <h3 id="executive-summary">Executive Summary</h3>
            <p style="text-align: justify">
  <p>This report contains the security assessment results from <a href="https://github.com/salesforce/cloudsplaining">Cloudsplaining</a>, which maps out the IAM risk landscape in a report, identifies where resource ARN constraints are not used, and identifies other risks in IAM policies like <a href="#definition-privilege-escalation">Privilege Escalation</a>, <a href="#definition-resource-exposure">Resource Exposure</a>, <a href="#definition-infrastructure-modification">Infrastructure Modification</a>, and <a href="#definition-data-exfiltration">Data Exfiltration</a>. Remediating these issues, where necessary, will help to limit the blast radius in the case of compromised AWS credentials.</p>
<br>
<br>
<div class="row">
<div class="col-md-6">
<h4>Risk Summary</h4>
<table class="table table-striped w-auto table-sm" style="border-radius: 10px">
<thead>
  <tr>
    <th>Risk</th>
    <th>Instances</th>
    <th><a href="#definition-impact">Impact</a></th>
  </tr>
</thead>
<tbody>

  <tr>
    <td><a href="#definition-privilege-escalation">Privilege Escalation</a></td>
    <td style="background-color: #F18E73">3</td>
    <td style="background-color: #F18E73">Critical</td>
  </tr>


  <tr>
    <td><a href="#definition-resource-exposure">Resource Exposure</a></td>
    <td style="background-color: #FFB660">13</td>
    <td style="background-color: #FFB660">High</td>
  </tr>

  <tr>
    <td><a href="#definition-infrastructure-modification">Infrastructure Modification</a></td>
    <td style="background-color: #FFB660">17</td>
    <td style="background-color: #FFB660">High</td>
  </tr>

    <tr>
    <td><a href="#definition-data-exfiltration">Data Exfiltration</a></td>
    <td style="background-color: #FFE295;">7</td>
    <td style="background-color: #FFE295;">Medium</td>
  </tr>

  </tbody>
</table>
</div>
</div>
          </div><!--/END SUMMARY TAB-->

          <!--PRINCIPALS TAB-->
          <div class="tab-pane fade" id="nav-principals" role="tabpanel" aria-labelledby="nav-principals-tab">
            <br>
            <h3 id="iam-principals">IAM Principals</h3>

            <br>
<p style="text-align: justify">
  The following table shows the list of IAM Users, Groups, and Roles in the account, and their associated policies.
  <br>
  <br>
  If the policy contains IAM Actions - or combinations of actions - that fall under certain risk categories - <a href="#definition-infrastructure-modification">Infrastructure Modification</a>, <a href="#definition-privilege-escalation">Privilege Escalation</a>,  <a href="#definition-resource-exposure">Resource Exposure</a>, or <a href="#definition-data-exfiltration">Data Exfiltration</a> - then the number of occurrences per-policy and per-risk is included in the table.
  <br>
  <br>
  If the IAM principal is a Role and is <a href="#definition-roles-assumable-by-compute-services">assumable by a Compute Service</a> - <code>ec2</code>, <code>ecs-tasks</code>, <code>lambda</code>, or <code>eks</code> - then that is indicated in the table as well.
  <br>
  <br>
  Note that policies that were excluded from the scan will not have their statistics shown in the table. Please refer to the <a href="#exclusions">Exclusions configuration</a> to see which ones were excluded.
</p>
<hr>
<span class="badge badge-default"></span>
<div class="principals-table table-responsive">
<table id="principals-table" class="display compact" style="width:100%">
  <!--<table id="principals-table" class="table table-striped table-bordered table-sm">-->
  <thead>
     <tr>
       <th></th>
       <th>Type</th>
       <th>Name</th>
       <th>Policy Type</th>
       <th>Managed By</th>
       <th>Policy Name</th>
       <th><a href="#definition-infrastructure-modification">Infrastructure Modification</a></td></th>
       <th><a href="#definition-privilege-escalation">Privilege Escalation</a></td></th>
       <th><a href="#definition-resource-exposure">Resource Exposure</a></th>
       <th><a href="#definition-data-exfiltration">Data Exfiltration</a></th>
       <th>Group Membership</th>
     </tr>
  </thead>
  <tbody>

    <tr>
      <td></td>
      <td>Group</td>
      <td>admin</td>
      <td> <a href="#definition-inline-policy">Inline</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>InlinePolicyForAdminGroup</td>
      <td>47</td>
      <td>0</td>
      <td>11</td>
      <td>1</td>
      <td>obama, userwithlotsofpermissions</td>
    </tr>

    <tr>
      <td></td>
      <td>Group</td>
      <td>admin</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSLambdaFullAccess</td>
      <td>150</td>
      <td>4</td>
      <td>21</td>
      <td>1</td>
      <td>obama, userwithlotsofpermissions</td>
    </tr>

    <tr>
      <td></td>
      <td>Group</td>
      <td>admin</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AdministratorAccess</td>
      <td></td>
      <td></td>
      <td></td>
      <td></td>
      <td>obama, userwithlotsofpermissions</td>
    </tr>

    <tr>
      <td></td>
      <td>Role</td>
      <td>MyOtherRole</td>
      <td> <a href="#definition-inline-policy">Inline</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>MyOtherRolePolicy</td>
      <td>5</td>
      <td>0</td>
      <td>3</td>
      <td>0</td>
      <td></td>
    </tr>

    <tr>
      <td></td>
      <td>Role</td>
      <td>MyOtherRole</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSLambdaFullAccess</td>
      <td>150</td>
      <td>4</td>
      <td>21</td>
      <td>1</td>
      <td></td>
    </tr>

    <tr>
      <td></td>
      <td>Role</td>
      <td>MyRole</td>
      <td> <a href="#definition-inline-policy">Inline</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>EC2-IAM-example</td>
      <td>5</td>
      <td>0</td>
      <td>3</td>
      <td>0</td>
      <td></td>
    </tr>

    <tr>
      <td></td>
      <td>Role</td>
      <td>MyRole</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSLambdaFullAccess</td>
      <td>150</td>
      <td>4</td>
      <td>21</td>
      <td>1</td>
      <td></td>
    </tr>

    <tr>
      <td></td>
      <td>Role</td>
      <td>MyRole</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>CloudWatchFullAccess</td>
      <td>38</td>
      <td>0</td>
      <td>6</td>
      <td>0</td>
      <td></td>
    </tr>

    <tr>
      <td></td>
      <td>Role</td>
      <td>OverprivilegedEC2</td>
      <td> <a href="#definition-inline-policy">Inline</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>OverprivilegedEC2</td>
      <td>3</td>
      <td>1</td>
      <td>1</td>
      <td>2</td>
      <td></td>
    </tr>

    <tr>
      <td></td>
      <td>Role</td>
      <td>OverprivilegedEC2</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>InsecurePolicy</td>
      <td>2</td>
      <td>0</td>
      <td>1</td>
      <td>0</td>
      <td></td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-inline-policy">Inline</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>InlinePolicyForAdminGroup</td>
      <td>47</td>
      <td>0</td>
      <td>11</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSCloudTrailFullAccess</td>
      <td>18</td>
      <td>0</td>
      <td>5</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSCodeCommitFullAccess</td>
      <td>52</td>
      <td>0</td>
      <td>0</td>
      <td>0</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSLambdaFullAccess</td>
      <td>150</td>
      <td>4</td>
      <td>21</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSLambdaFullAccess</td>
      <td>150</td>
      <td>4</td>
      <td>21</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AdministratorAccess</td>
      <td></td>
      <td></td>
      <td></td>
      <td></td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AdministratorAccess</td>
      <td></td>
      <td></td>
      <td></td>
      <td></td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AmazonEC2FullAccess</td>
      <td>198</td>
      <td>0</td>
      <td>6</td>
      <td>0</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AmazonS3FullAccess</td>
      <td>47</td>
      <td>0</td>
      <td>11</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>obama</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>CloudWatchFullAccess</td>
      <td>38</td>
      <td>0</td>
      <td>6</td>
      <td>0</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-inline-policy">Inline</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>InlinePolicyForAdminGroup</td>
      <td>47</td>
      <td>0</td>
      <td>11</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-inline-policy">Inline</a></td>
      <td> <a href="#definition-customer-managed-policy">Customer</a></td>
      <td>InsecureUserPolicy</td>
      <td>3</td>
      <td>0</td>
      <td>1</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSKeyManagementServicePowerUser</td>
      <td>4</td>
      <td>0</td>
      <td>0</td>
      <td>0</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AWSLambdaFullAccess</td>
      <td>150</td>
      <td>4</td>
      <td>21</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AdministratorAccess</td>
      <td></td>
      <td></td>
      <td></td>
      <td></td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AmazonRDSFullAccess</td>
      <td>84</td>
      <td>0</td>
      <td>2</td>
      <td>0</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AmazonS3ReadOnlyAccess</td>
      <td>1</td>
      <td>0</td>
      <td>0</td>
      <td>1</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>AmazonSESFullAccess</td>
      <td>21</td>
      <td>0</td>
      <td>0</td>
      <td>0</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>CloudWatchFullAccess</td>
      <td>38</td>
      <td>0</td>
      <td>6</td>
      <td>0</td>
      <td>admin</td>
    </tr>

    <tr>
      <td></td>
      <td>User</td>
      <td>userwithlotsofpermissions</td>
      <td> <a href="#definition-managed-policy">Managed</a></td>
      <td> <a href="#definition-aws-managed-policy">AWS</a></td>
      <td>IAMFullAccess</td>
      <td>78</td>
      <td>10</td>
      <td>79</td>
      <td>0</td>
      <td>admin</td>
    </tr>

  </tbody>
</table>
</div>
<br>
          </div><!--/end PRINCIPALS TAB-->

          <!--CUSTOMER-MANAGED TAB-->
          <div class="tab-pane fade" id="nav-customer-managed" role="tabpanel" aria-labelledby="nav-customer-managed-tab">
            <br>
            <!--Summary: Customer-managed policies-->
            <h3 id="customer-managed-policies-summary">Findings: Customer-managed and inline Policies</h3>
            <br>
<p style="text-align: justify">
  The following table shows a list of Customer created IAM Policies that are currently used in the account - both <a href="#definition-managed-policy">Managed Policies</a> and <a href="#definition-inline-policy">Inline Policies</a>. If the policy is an inline policy, the table indicates the <a href="#definition-principal">IAM Principal</a> that the inline policy is associated with.
  <br>
  <br>
  If the policy contains IAM Actions - or combinations of actions - that fall under certain risk categories - <a href="#definition-infrastructure-modification">Infrastructure Modification</a>, <a href="#definition-privilege-escalation">Privilege Escalation</a>,  <a href="#definition-resource-exposure">Resource Exposure</a>, or <a href="#definition-data-exfiltration">Data Exfiltration</a> - then the number of occurrences per-policy and per-risk is included in the table.
  <br>
  <br>
  If the IAM principal is a Role and is <a href="#definition-roles-assumable-by-compute-services">assumable by a Compute Service</a> - <code>ec2</code>, <code>ecs-tasks</code>, <code>lambda</code>, or <code>eks</code> - then that is indicated in the table as well.
  <br>
  <br>
  Each of the aforementioned attributes can be used to prioritize which risks to address first. For more information, see the <a href="#remediation-prioritization">Prioritization Guidance</a> and <a href="#triage-triaging-considerations">Triaging Considerations</a>. Consider using all of the Guidance criteria when reviewing this report as well.
  <br>
  <br>
  Note that policies or IAM Principals excluded from the scan will not show up in the table at all. Please refer to the <a href="#exclusions">Exclusions configuration</a> to see which ones were excluded. To view the list of IAM Principals and their associated policies, see the <a href="#nav-principals">IAM Principals Tab</a>.
</p>
<hr>
<span class="badge badge-default"></span>
<div class="customer-managed-table table-responsive table-sm">
<table id="customer-managed-table" class="display compact" style="width:100%; border-radius: 10px">
  <thead>
     <tr>
       <th></th>
       <th>Inline or Managed</th>
       <th>Type</th>
       <th>Policy Name</th>
       <th>Principal Name</th>
       <th>Services Count</th>
       <th>Services</th>
       <th><a href="#definition-infrastructure-modification">Infrastructure Modification</a></td></th>
       <th><a href="#definition-privilege-escalation">Privilege Escalation</a></td></th>
       <th><a href="#definition-resource-exposure">Resource Exposure</a></th>
       <th><a href="#definition-data-exfiltration">Data Exfiltration</a></th>
       <th><a href="#definition-roles-assumable-by-compute-services">Compute Role</a></th>
     </tr>
  </thead>
  <tbody>






















      <tr>
        <td></td>
        <td>Inline</td>
        <td>Role</td>
        <td><a href="#EC2-IAM-example">EC2-IAM-example</a></td>
        <td>MyRole</td>
        <td>2</td>
        <td><p style="max-height: 100px; overflow: scroll;">ec2, iam</p></td>
        <td>5</td>
        <td> </td>
        <td>  3</td>
        <td> </td>
        <td> </td>
      </tr>





      <tr>
        <td></td>
        <td>Inline</td>
        <td>Group</td>
        <td><a href="#InlinePolicyForAdminGroup">InlinePolicyForAdminGroup</a></td>
        <td>admin</td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">s3</p></td>
        <td>47</td>
        <td> </td>
        <td>  11</td>
        <td> 1 </td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td>Managed</td>
        <td>Policy</td>
        <td><a href="#InsecurePolicy">InsecurePolicy</a></td>
        <td></td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">s3</p></td>
        <td>2</td>
        <td> </td>
        <td>  1</td>
        <td> </td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td>Inline</td>
        <td>User</td>
        <td><a href="#InsecureUserPolicy">InsecureUserPolicy</a></td>
        <td>userwithlotsofpermissions</td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">s3</p></td>
        <td>3</td>
        <td> </td>
        <td>  1</td>
        <td> 1 </td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td>Inline</td>
        <td>Role</td>
        <td><a href="#MyOtherRolePolicy">MyOtherRolePolicy</a></td>
        <td>MyOtherRole</td>
        <td>2</td>
        <td><p style="max-height: 100px; overflow: scroll;">ec2, iam</p></td>
        <td>5</td>
        <td> </td>
        <td>  3</td>
        <td> </td>
        <td> 1 </td>
      </tr>



      <tr>
        <td></td>
        <td>Inline</td>
        <td>Role</td>
        <td><a href="#OverprivilegedEC2">OverprivilegedEC2</a></td>
        <td>OverprivilegedEC2</td>
        <td>3</td>
        <td><p style="max-height: 100px; overflow: scroll;">iam, s3, secretsmanager</p></td>
        <td>3</td>
        <td>  1 </td>
        <td>  1</td>
        <td> 2 </td>
        <td> 1 </td>
      </tr>


  </tbody>
</table>
</div>
<br>

            <!--Analysis: Customer-managed-policies-->
            <h3 id="customer-managed-in-depth-analysis">In-depth analysis: Customer-managed and inline Policies</h3>






















<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="EC2-IAM-example">Role: EC2-IAM-example</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 2
      <br>
      Infrastructure Modification Actions: 5
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->



          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-customer-10">
      <div class="card">
         <div class="card-header">
            <a class="card-link" data-toggle="collapse" data-parent="#card-customer-10" href="#card-element-customer-doc-10">Policy Document</a>
         </div>
         <div id="card-element-customer-doc-10" class="panel-collapse collapse">
            <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "ec2:DescribeIamInstanceProfileAssociations",
                "iam:GetInstanceProfile",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:AssociateIamInstanceProfile",
                "iam:AddRoleToInstanceProfile"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "VisualEditor0"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
            </div>
         </div>
      </div>

      <div class="card">
        <div class="card-header">
          <a class="card-link" data-toggle="collapse" data-parent="#card-customer-10" href="#card-element-customer-action10">Infrastructure Modification Actions</a>
        </div>
        <div id="card-element-customer-action10" class="panel-collapse collapse">
          <div class="card-body">
            <pre><code>
[
    "ec2:AssociateIamInstanceProfile",
    "ec2:DisassociateIamInstanceProfile",
    "iam:AddRoleToInstanceProfile",
    "iam:CreateInstanceProfile",
    "iam:PassRole"
]
            </code></pre>
          </div>
        </div>
      </div>
     <!--Trust Policy Document-->

        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-10" href="#card-element-customer-trust-policy10">Trust Policy Document</a>
           </div>
           <div id="card-element-customer-trust-policy10" class="panel-collapse collapse">
            <div class="card-body">
              <pre><code>
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            }
        }
    ],
    "Version": "2012-10-17"
}
              </code></pre>
            </div>
           </div>
        </div>

     <!--/end Trust Policy Document-->

      <!--High Priority Risks-->
        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-10" href="#card-element-customer-risks10">High Priority risks</a>
           </div>
           <div id="card-element-customer-risks10" class="panel-collapse collapse">
               <div class="card-body">
  <div class="grid">
      <div class="row">




        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "iam:AddRoleToInstanceProfile",
  "iam:CreateInstanceProfile",
  "iam:PassRole"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
           </div>
        </div>
      <!--/end High Priority Risks-->

   </div>

  </div><!-- /col for card -->
</div>





<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="InlinePolicyForAdminGroup">Group: InlinePolicyForAdminGroup</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 47
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->


          <div class="alert alert-warning" role="alert">Data Exfiltration</div>


          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-customer-12">
      <div class="card">
         <div class="card-header">
            <a class="card-link" data-toggle="collapse" data-parent="#card-customer-12" href="#card-element-customer-doc-12">Policy Document</a>
         </div>
         <div id="card-element-customer-doc-12" class="panel-collapse collapse">
            <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "VisualEditor0"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
            </div>
         </div>
      </div>

      <div class="card">
        <div class="card-header">
          <a class="card-link" data-toggle="collapse" data-parent="#card-customer-12" href="#card-element-customer-action12">Infrastructure Modification Actions</a>
        </div>
        <div id="card-element-customer-action12" class="panel-collapse collapse">
          <div class="card-body">
            <pre><code>
[
    "s3:AbortMultipartUpload",
    "s3:BypassGovernanceRetention",
    "s3:CreateAccessPoint",
    "s3:CreateBucket",
    "s3:DeleteAccessPoint",
    "s3:DeleteAccessPointPolicy",
    "s3:DeleteBucket",
    "s3:DeleteBucketPolicy",
    "s3:DeleteBucketWebsite",
    "s3:DeleteObject",
    "s3:DeleteObjectTagging",
    "s3:DeleteObjectVersion",
    "s3:DeleteObjectVersionTagging",
    "s3:GetObject",
    "s3:ObjectOwnerOverrideToBucketOwner",
    "s3:PutAccelerateConfiguration",
    "s3:PutAccessPointPolicy",
    "s3:PutAnalyticsConfiguration",
    "s3:PutBucketAcl",
    "s3:PutBucketCORS",
    "s3:PutBucketLogging",
    "s3:PutBucketNotification",
    "s3:PutBucketObjectLockConfiguration",
    "s3:PutBucketPolicy",
    "s3:PutBucketPublicAccessBlock",
    "s3:PutBucketRequestPayment",
    "s3:PutBucketTagging",
    "s3:PutBucketVersioning",
    "s3:PutBucketWebsite",
    "s3:PutEncryptionConfiguration",
    "s3:PutInventoryConfiguration",
    "s3:PutLifecycleConfiguration",
    "s3:PutMetricsConfiguration",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:PutObjectLegalHold",
    "s3:PutObjectRetention",
    "s3:PutObjectTagging",
    "s3:PutObjectVersionAcl",
    "s3:PutObjectVersionTagging",
    "s3:PutReplicationConfiguration",
    "s3:ReplicateDelete",
    "s3:ReplicateObject",
    "s3:ReplicateTags",
    "s3:RestoreObject",
    "s3:UpdateJobPriority",
    "s3:UpdateJobStatus"
]
            </code></pre>
          </div>
        </div>
      </div>
     <!--Trust Policy Document-->

     <!--/end Trust Policy Document-->

      <!--High Priority Risks-->
        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-12" href="#card-element-customer-risks12">High Priority risks</a>
           </div>
           <div id="card-element-customer-risks12" class="panel-collapse collapse">
               <div class="card-body">
  <div class="grid">
      <div class="row">



        <!--Data Exfiltration-->
        <div class="col-sm border">
  <p>Data Exfiltration actions <a href="#definition-data-exfiltration"><small>[link]</small></a>
          <pre><code>
[
  "s3:GetObject"
]
          </code></pre>
        </div>


        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "s3:BypassGovernanceRetention",
  "s3:DeleteAccessPointPolicy",
  "s3:DeleteBucketPolicy",
  "s3:ObjectOwnerOverrideToBucketOwner",
  "s3:PutAccessPointPolicy",
  "s3:PutAccountPublicAccessBlock",
  "s3:PutBucketAcl",
  "s3:PutBucketPolicy",
  "s3:PutBucketPublicAccessBlock",
  "s3:PutObjectAcl",
  "s3:PutObjectVersionAcl"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
           </div>
        </div>
      <!--/end High Priority Risks-->

   </div>

  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="InsecurePolicy">Policy: InsecurePolicy</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 2
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->



          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-customer-13">
      <div class="card">
         <div class="card-header">
            <a class="card-link" data-toggle="collapse" data-parent="#card-customer-13" href="#card-element-customer-doc-13">Policy Document</a>
         </div>
         <div id="card-element-customer-doc-13" class="panel-collapse collapse">
            <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Sid": "VisualEditor0"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
            </div>
         </div>
      </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-customer-13" href="#card-element-customer-doc-principals13">Attached to Principals</a>
      </div>
      <div id="card-element-customer-doc-principals13" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- OverprivilegedEC2
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->

      <div class="card">
        <div class="card-header">
          <a class="card-link" data-toggle="collapse" data-parent="#card-customer-13" href="#card-element-customer-action13">Infrastructure Modification Actions</a>
        </div>
        <div id="card-element-customer-action13" class="panel-collapse collapse">
          <div class="card-body">
            <pre><code>
[
    "s3:PutObject",
    "s3:PutObjectAcl"
]
            </code></pre>
          </div>
        </div>
      </div>
     <!--Trust Policy Document-->

     <!--/end Trust Policy Document-->

      <!--High Priority Risks-->
        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-13" href="#card-element-customer-risks13">High Priority risks</a>
           </div>
           <div id="card-element-customer-risks13" class="panel-collapse collapse">
               <div class="card-body">
  <div class="grid">
      <div class="row">




        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "s3:PutObjectAcl"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
           </div>
        </div>
      <!--/end High Priority Risks-->

   </div>

  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="InsecureUserPolicy">User: InsecureUserPolicy</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 3
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->


          <div class="alert alert-warning" role="alert">Data Exfiltration</div>


          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-customer-14">
      <div class="card">
         <div class="card-header">
            <a class="card-link" data-toggle="collapse" data-parent="#card-customer-14" href="#card-element-customer-doc-14">Policy Document</a>
         </div>
         <div id="card-element-customer-doc-14" class="panel-collapse collapse">
            <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Sid": "VisualEditor0"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
            </div>
         </div>
      </div>

      <div class="card">
        <div class="card-header">
          <a class="card-link" data-toggle="collapse" data-parent="#card-customer-14" href="#card-element-customer-action14">Infrastructure Modification Actions</a>
        </div>
        <div id="card-element-customer-action14" class="panel-collapse collapse">
          <div class="card-body">
            <pre><code>
[
    "s3:GetObject",
    "s3:PutObject",
    "s3:PutObjectAcl"
]
            </code></pre>
          </div>
        </div>
      </div>
     <!--Trust Policy Document-->

     <!--/end Trust Policy Document-->

      <!--High Priority Risks-->
        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-14" href="#card-element-customer-risks14">High Priority risks</a>
           </div>
           <div id="card-element-customer-risks14" class="panel-collapse collapse">
               <div class="card-body">
  <div class="grid">
      <div class="row">



        <!--Data Exfiltration-->
        <div class="col-sm border">
  <p>Data Exfiltration actions <a href="#definition-data-exfiltration"><small>[link]</small></a>
          <pre><code>
[
  "s3:GetObject"
]
          </code></pre>
        </div>


        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "s3:PutObjectAcl"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
           </div>
        </div>
      <!--/end High Priority Risks-->

   </div>

  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="MyOtherRolePolicy">Role: MyOtherRolePolicy</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 2
      <br>
      Infrastructure Modification Actions: 5
      <br>

      Role Assumable by Service(s): ec2

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->



          <div class="alert alert-danger" role="alert">Resource Exposure</div>


          <div class="alert alert-info" role="alert">Role Assumable by Compute Service</div>

      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-customer-15">
      <div class="card">
         <div class="card-header">
            <a class="card-link" data-toggle="collapse" data-parent="#card-customer-15" href="#card-element-customer-doc-15">Policy Document</a>
         </div>
         <div id="card-element-customer-doc-15" class="panel-collapse collapse">
            <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "ec2:DescribeIamInstanceProfileAssociations",
                "iam:GetInstanceProfile",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:AssociateIamInstanceProfile",
                "iam:AddRoleToInstanceProfile"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "VisualEditor0"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
            </div>
         </div>
      </div>

      <div class="card">
        <div class="card-header">
          <a class="card-link" data-toggle="collapse" data-parent="#card-customer-15" href="#card-element-customer-action15">Infrastructure Modification Actions</a>
        </div>
        <div id="card-element-customer-action15" class="panel-collapse collapse">
          <div class="card-body">
            <pre><code>
[
    "ec2:AssociateIamInstanceProfile",
    "ec2:DisassociateIamInstanceProfile",
    "iam:AddRoleToInstanceProfile",
    "iam:CreateInstanceProfile",
    "iam:PassRole"
]
            </code></pre>
          </div>
        </div>
      </div>
     <!--Trust Policy Document-->

        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-15" href="#card-element-customer-trust-policy15">Trust Policy Document</a>
           </div>
           <div id="card-element-customer-trust-policy15" class="panel-collapse collapse">
            <div class="card-body">
              <pre><code>
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            }
        }
    ],
    "Version": "2012-10-17"
}
              </code></pre>
            </div>
           </div>
        </div>

     <!--/end Trust Policy Document-->

      <!--High Priority Risks-->
        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-15" href="#card-element-customer-risks15">High Priority risks</a>
           </div>
           <div id="card-element-customer-risks15" class="panel-collapse collapse">
               <div class="card-body">
  <div class="grid">
      <div class="row">

        <!--Role Assumable by Compute Services-->
        <div class="col-sm border">
  Assumable by Compute Services <a href="#definition-roles-assumable-by-compute-services"><small>[link]</small></a>
          <pre><code>

- ec2
          </code></pre>
        </div>




        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "iam:AddRoleToInstanceProfile",
  "iam:CreateInstanceProfile",
  "iam:PassRole"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
           </div>
        </div>
      <!--/end High Priority Risks-->

   </div>

  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="OverprivilegedEC2">Role: OverprivilegedEC2</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 3
      <br>
      Infrastructure Modification Actions: 3
      <br>

      Role Assumable by Service(s): ec2

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->

          <div class="alert alert-danger" role="alert">Privilege Escalation</div>


          <div class="alert alert-warning" role="alert">Data Exfiltration</div>


          <div class="alert alert-danger" role="alert">Resource Exposure</div>


          <div class="alert alert-info" role="alert">Role Assumable by Compute Service</div>

      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-customer-16">
      <div class="card">
         <div class="card-header">
            <a class="card-link" data-toggle="collapse" data-parent="#card-customer-16" href="#card-element-customer-doc-16">Policy Document</a>
         </div>
         <div id="card-element-customer-doc-16" class="panel-collapse collapse">
            <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue",
                "s3:GetObject",
                "iam:CreateAccessKey"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "VisualEditor0"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
            </div>
         </div>
      </div>

      <div class="card">
        <div class="card-header">
          <a class="card-link" data-toggle="collapse" data-parent="#card-customer-16" href="#card-element-customer-action16">Infrastructure Modification Actions</a>
        </div>
        <div id="card-element-customer-action16" class="panel-collapse collapse">
          <div class="card-body">
            <pre><code>
[
    "iam:CreateAccessKey",
    "s3:GetObject",
    "secretsmanager:GetSecretValue"
]
            </code></pre>
          </div>
        </div>
      </div>
     <!--Trust Policy Document-->

        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-16" href="#card-element-customer-trust-policy16">Trust Policy Document</a>
           </div>
           <div id="card-element-customer-trust-policy16" class="panel-collapse collapse">
            <div class="card-body">
              <pre><code>
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            }
        }
    ],
    "Version": "2012-10-17"
}
              </code></pre>
            </div>
           </div>
        </div>

     <!--/end Trust Policy Document-->

      <!--High Priority Risks-->
        <div class="card">
           <div class="card-header">
              <a class="card-link" data-toggle="collapse" data-parent="#card-customer-16" href="#card-element-customer-risks16">High Priority risks</a>
           </div>
           <div id="card-element-customer-risks16" class="panel-collapse collapse">
               <div class="card-body">
  <div class="grid">
      <div class="row">

        <!--Role Assumable by Compute Services-->
        <div class="col-sm border">
  Assumable by Compute Services <a href="#definition-roles-assumable-by-compute-services"><small>[link]</small></a>
          <pre><code>

- ec2
          </code></pre>
        </div>


        <!--Privilege Escalation-->
        <div class="col-sm border">
  Privilege Escalation methods <a href="#definition-privilege-escalation"><small>[link]</small></a>
            <pre><code>

- Method: CreateAccessKey
Actions:
- iam:createaccesskey

            </code></pre>
        </div>


        <!--Data Exfiltration-->
        <div class="col-sm border">
  <p>Data Exfiltration actions <a href="#definition-data-exfiltration"><small>[link]</small></a>
          <pre><code>
[
  "s3:GetObject",
  "secretsmanager:GetSecretValue"
]
          </code></pre>
        </div>


        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "iam:CreateAccessKey"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
           </div>
        </div>
      <!--/end High Priority Risks-->

   </div>

  </div><!-- /col for card -->
</div>


          </div><!--/end CUSTOMER-MANAGED TAB-->


          <!--AWS-MANAGED TAB-->
          <div class="tab-pane fade" id="nav-aws-managed" role="tabpanel" aria-labelledby="nav-aws-managed-tab">
            <br>
            <!--Summary: AWS-managed policies-->
            <h3 id="aws-managed-policies-summary">Findings: AWS-managed Policies</h3>
            <br>
            <span class="badge badge-default"></span>
<br>
<p style="text-align: justify">
  The following table shows a list of <a href="definition-aws-managed-policy">AWS-managed IAM Policies</a> that are currently used in the account.
  <br>
  <br>
  If the policy contains IAM Actions - or combinations of actions - that fall under certain risk categories - <a href="#definition-infrastructure-modification">Infrastructure Modification</a>, <a href="#definition-privilege-escalation">Privilege Escalation</a>,  <a href="#definition-resource-exposure">Resource Exposure</a>, or <a href="#definition-data-exfiltration">Data Exfiltration</a> - then the number of occurrences per-policy and per-risk is included in the table.
  <br>
  <br>
  Each of the aforementioned attributes can be used to prioritize which risks to address first. For more information, see the <a href="#remediation-prioritization">Prioritization Guidance</a> and <a href="#triage-triaging-considerations">Triaging Considerations</a>. Consider using all of the Guidance criteria when reviewing this report as well.
  <br>
  <br>
  Note that policies or IAM Principals excluded from the scan will not show up in the table at all. Please refer to the <a href="#exclusions">Exclusions configuration</a> to see which ones were excluded. To view the list of IAM Principals and their associated policies, see the <a href="#nav-principals">IAM Principals Tab</a>.
</p>
<hr>
<div class="aws-managed-table table-responsive table-sm">
<table id="aws-managed-table" class="display compact" style="width:100%; border-radius: 10px">
  <!--<table id="aws-managed-table" class="table table-striped table-bordered table-sm">-->
  <thead>
     <tr>
       <th></th>
       <th>Policy Name</th>
       <th>Services Count</th>
       <th>Services Affected</th>
       <th><a href="#definition-infrastructure-modification">Infrastructure Modification</a></td></th>
       <th><a href="#definition-privilege-escalation">Privilege Escalation</a></th>
       <th><a href="#definition-resource-exposure">Resource Exposure</a></th>
       <th><a href="#definition-data-exfiltration">Data Exfiltration</a></th>
     </tr>
  </thead>
  <tbody>


      <tr>
        <td></td>
        <td><a href="#AWSCloudTrailFullAccess">AWSCloudTrailFullAccess</a></td>
        <td>4</td>
        <td><p style="max-height: 100px; overflow: scroll;">cloudtrail, iam, s3, sns</p></td>
        <td>18</td>
        <td> </td>
        <td>  5</td>
        <td> 1 </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AWSCodeCommitFullAccess">AWSCodeCommitFullAccess</a></td>
        <td>4</td>
        <td><p style="max-height: 100px; overflow: scroll;">codecommit, codeguru-reviewer, codestar-notifications, events</p></td>
        <td>52</td>
        <td> </td>
        <td> </td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AWSKeyManagementServicePowerUser">AWSKeyManagementServicePowerUser</a></td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">kms</p></td>
        <td>4</td>
        <td> </td>
        <td> </td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AWSLambdaFullAccess">AWSLambdaFullAccess</a></td>
        <td>12</td>
        <td><p style="max-height: 100px; overflow: scroll;">cloudwatch, cognito-sync, dynamodb, events, iam, iot, kinesis, lambda, logs, s3, sns, sqs</p></td>
        <td>150</td>
        <td>  4 </td>
        <td>  21</td>
        <td> 1 </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AmazonEC2FullAccess">AmazonEC2FullAccess</a></td>
        <td>5</td>
        <td><p style="max-height: 100px; overflow: scroll;">autoscaling, cloudwatch, ec2, elasticloadbalancing, iam</p></td>
        <td>198</td>
        <td> </td>
        <td>  6</td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AmazonRDSFullAccess">AmazonRDSFullAccess</a></td>
        <td>4</td>
        <td><p style="max-height: 100px; overflow: scroll;">cloudwatch, iam, rds, sns</p></td>
        <td>84</td>
        <td> </td>
        <td>  2</td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AmazonS3FullAccess">AmazonS3FullAccess</a></td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">s3</p></td>
        <td>47</td>
        <td> </td>
        <td>  11</td>
        <td> 1 </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AmazonS3ReadOnlyAccess">AmazonS3ReadOnlyAccess</a></td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">s3</p></td>
        <td>1</td>
        <td> </td>
        <td> </td>
        <td> 1 </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#AmazonSESFullAccess">AmazonSESFullAccess</a></td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">ses</p></td>
        <td>21</td>
        <td> </td>
        <td> </td>
        <td> </td>
      </tr>



      <tr>
        <td></td>
        <td><a href="#CloudWatchFullAccess">CloudWatchFullAccess</a></td>
        <td>3</td>
        <td><p style="max-height: 100px; overflow: scroll;">cloudwatch, logs, sns</p></td>
        <td>38</td>
        <td> </td>
        <td>  6</td>
        <td> </td>
      </tr>





      <tr>
        <td></td>
        <td><a href="#IAMFullAccess">IAMFullAccess</a></td>
        <td>1</td>
        <td><p style="max-height: 100px; overflow: scroll;">iam</p></td>
        <td>78</td>
        <td>  10 </td>
        <td>  79</td>
        <td> </td>
      </tr>












  </tbody>
</table>
</div>
<br>

            <!--Analysis: AWS-managed-policies-->
            <h3 id="aws-managed-in-depth-analysis">In-depth analysis: AWS-managed Policies</h3>
            <br>


<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AWSCloudTrailFullAccess">Policy: AWSCloudTrailFullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 4
      <br>
      Infrastructure Modification Actions: 18
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->


          <div class="alert alert-warning" role="alert">Data Exfiltration</div>


          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-0">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-0" href="#card-element-aws-doc-0">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-0" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "sns:AddPermission",
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:ListTopics",
                "sns:SetTopicAttributes",
                "sns:GetTopicAttributes"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:ListAllMyBuckets",
                "s3:PutBucketPolicy",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "cloudtrail:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:ListRoles",
                "iam:GetRolePolicy",
                "iam:GetUser"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "cloudtrail.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kms:ListKeys",
                "kms:ListAliases"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "lambda:ListFunctions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-0" href="#card-element-aws-doc-principals0">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals0" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- obama
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-0" href="#card-element-aws-action0">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action0" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "cloudtrail:AddTags",
    "cloudtrail:CreateTrail",
    "cloudtrail:DeleteTrail",
    "cloudtrail:PutEventSelectors",
    "cloudtrail:PutInsightSelectors",
    "cloudtrail:RemoveTags",
    "cloudtrail:StartLogging",
    "cloudtrail:StopLogging",
    "cloudtrail:UpdateTrail",
    "iam:PassRole",
    "s3:CreateBucket",
    "s3:DeleteBucket",
    "s3:GetObject",
    "s3:PutBucketPolicy",
    "sns:AddPermission",
    "sns:CreateTopic",
    "sns:DeleteTopic",
    "sns:SetTopicAttributes"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-0" href="#card-element-aws-risks0">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks0" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">



        <!--Data Exfiltration-->
        <div class="col-sm border">
  <p>Data Exfiltration actions <a href="#definition-data-exfiltration"><small>[link]</small></a>
          <pre><code>
[
  "s3:GetObject"
]
          </code></pre>
        </div>


        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "sns:AddPermission",
  "sns:CreateTopic",
  "sns:SetTopicAttributes",
  "s3:PutBucketPolicy",
  "iam:PassRole"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AWSCodeCommitFullAccess">Policy: AWSCodeCommitFullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 4
      <br>
      Infrastructure Modification Actions: 52
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->




      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-1">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-1" href="#card-element-aws-doc-1">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-1" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "codecommit:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "events:DeleteRule",
                "events:DescribeRule",
                "events:DisableRule",
                "events:EnableRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "events:ListTargetsByRule"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:events:*:*:rule/codecommit*",
            "Sid": "CloudWatchEventsCodeCommitRulesAccess"
        },
        {
            "Action": [
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sns:SetTopicAttributes"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sns:*:*:codecommit*",
            "Sid": "SNSTopicAndSubscriptionAccess"
        },
        {
            "Action": [
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sns:GetTopicAttributes"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "SNSTopicAndSubscriptionReadAccess"
        },
        {
            "Action": [
                "lambda:ListFunctions"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "LambdaReadOnlyListAccess"
        },
        {
            "Action": [
                "iam:ListUsers"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "IAMReadOnlyListAccess"
        },
        {
            "Action": [
                "iam:ListAccessKeys",
                "iam:ListSSHPublicKeys",
                "iam:ListServiceSpecificCredentials"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Sid": "IAMReadOnlyConsoleAccess"
        },
        {
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Sid": "IAMUserSSHKeys"
        },
        {
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ResetServiceSpecificCredential"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:user/${aws:username}",
            "Sid": "IAMSelfManageServiceSpecificCredentials"
        },
        {
            "Action": [
                "codestar-notifications:CreateNotificationRule",
                "codestar-notifications:DescribeNotificationRule",
                "codestar-notifications:UpdateNotificationRule",
                "codestar-notifications:DeleteNotificationRule",
                "codestar-notifications:Subscribe",
                "codestar-notifications:Unsubscribe"
            ],
            "Condition": {
                "StringLike": {
                    "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*"
                }
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "CodeStarNotificationsReadWriteAccess"
        },
        {
            "Action": [
                "codestar-notifications:ListNotificationRules",
                "codestar-notifications:ListTargets",
                "codestar-notifications:ListTagsforResource",
                "codestar-notifications:ListEventTypes"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "CodeStarNotificationsListAccess"
        },
        {
            "Action": [
                "sns:CreateTopic",
                "sns:SetTopicAttributes"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sns:*:*:codestar-notifications*",
            "Sid": "CodeStarNotificationsSNSTopicCreateAccess"
        },
        {
            "Action": [
                "codeguru-reviewer:AssociateRepository",
                "codeguru-reviewer:DescribeRepositoryAssociation",
                "codeguru-reviewer:ListRepositoryAssociations",
                "codeguru-reviewer:DisassociateRepository"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "AmazonCodeGuruReviewerFullAccess"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
            "Sid": "AmazonCodeGuruReviewerSLRCreation"
        },
        {
            "Action": [
                "events:PutRule",
                "events:PutTargets",
                "events:DeleteRule",
                "events:RemoveTargets"
            ],
            "Condition": {
                "StringEquals": {
                    "events:ManagedBy": "codeguru-reviewer.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "CloudWatchEventsManagedRules"
        },
        {
            "Action": [
                "chatbot:DescribeSlackChannelConfigurations"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "CodeStarNotificationsChatbotAccess"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-1" href="#card-element-aws-doc-principals1">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals1" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- obama
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-1" href="#card-element-aws-action1">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action1" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "codecommit:AssociateApprovalRuleTemplateWithRepository",
    "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories",
    "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories",
    "codecommit:CreateBranch",
    "codecommit:CreateCommit",
    "codecommit:CreatePullRequest",
    "codecommit:CreatePullRequestApprovalRule",
    "codecommit:CreateRepository",
    "codecommit:CreateUnreferencedMergeCommit",
    "codecommit:DeleteBranch",
    "codecommit:DeleteCommentContent",
    "codecommit:DeleteFile",
    "codecommit:DeletePullRequestApprovalRule",
    "codecommit:DeleteRepository",
    "codecommit:DisassociateApprovalRuleTemplateFromRepository",
    "codecommit:GitPush",
    "codecommit:MergeBranchesByFastForward",
    "codecommit:MergeBranchesBySquash",
    "codecommit:MergeBranchesByThreeWay",
    "codecommit:MergePullRequestByFastForward",
    "codecommit:MergePullRequestBySquash",
    "codecommit:MergePullRequestByThreeWay",
    "codecommit:OverridePullRequestApprovalRules",
    "codecommit:PostCommentForComparedCommit",
    "codecommit:PostCommentForPullRequest",
    "codecommit:PostCommentReply",
    "codecommit:PutFile",
    "codecommit:PutRepositoryTriggers",
    "codecommit:TagResource",
    "codecommit:TestRepositoryTriggers",
    "codecommit:UntagResource",
    "codecommit:UpdateComment",
    "codecommit:UpdateDefaultBranch",
    "codecommit:UpdatePullRequestApprovalRuleContent",
    "codecommit:UpdatePullRequestApprovalState",
    "codecommit:UpdatePullRequestDescription",
    "codecommit:UpdatePullRequestStatus",
    "codecommit:UpdatePullRequestTitle",
    "codecommit:UpdateRepositoryDescription",
    "codecommit:UpdateRepositoryName",
    "codecommit:UploadArchive",
    "codeguru-reviewer:AssociateRepository",
    "codeguru-reviewer:DisassociateRepository",
    "codestar-notifications:CreateNotificationRule",
    "codestar-notifications:DeleteNotificationRule",
    "codestar-notifications:Subscribe",
    "codestar-notifications:Unsubscribe",
    "codestar-notifications:UpdateNotificationRule",
    "events:DeleteRule",
    "events:PutRule",
    "events:PutTargets",
    "events:RemoveTargets"
]
          </code></pre>
        </div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AWSKeyManagementServicePowerUser">Policy: AWSKeyManagementServicePowerUser</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 4
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->




      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-2">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-2" href="#card-element-aws-doc-2">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-2" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:Describe*",
                "kms:GenerateRandom",
                "kms:Get*",
                "kms:List*",
                "kms:TagResource",
                "kms:UntagResource",
                "iam:ListGroups",
                "iam:ListRoles",
                "iam:ListUsers"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-2" href="#card-element-aws-doc-principals2">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals2" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- userwithlotsofpermissions
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-2" href="#card-element-aws-action2">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action2" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "kms:CreateAlias",
    "kms:DeleteAlias",
    "kms:TagResource",
    "kms:UntagResource"
]
          </code></pre>
        </div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AWSLambdaFullAccess">Policy: AWSLambdaFullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 12
      <br>
      Infrastructure Modification Actions: 150
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->

          <div class="alert alert-danger" role="alert">Privilege Escalation</div>


          <div class="alert alert-warning" role="alert">Data Exfiltration</div>


          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-3">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-3" href="#card-element-aws-doc-3">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-3" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudwatch:*",
                "cognito-identity:ListIdentityPools",
                "cognito-sync:GetCognitoEvents",
                "cognito-sync:SetCognitoEvents",
                "dynamodb:*",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "events:*",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:PassRole",
                "iot:AttachPrincipalPolicy",
                "iot:AttachThingPrincipal",
                "iot:CreateKeysAndCertificate",
                "iot:CreatePolicy",
                "iot:CreateThing",
                "iot:CreateTopicRule",
                "iot:DescribeEndpoint",
                "iot:GetTopicRule",
                "iot:ListPolicies",
                "iot:ListThings",
                "iot:ListTopicRules",
                "iot:ReplaceTopicRule",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kinesis:PutRecord",
                "kms:ListAliases",
                "lambda:*",
                "logs:*",
                "s3:*",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sns:Publish",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sqs:ListQueues",
                "sqs:SendMessage",
                "tag:GetResources",
                "xray:PutTelemetryRecords",
                "xray:PutTraceSegments"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-3" href="#card-element-aws-doc-principals3">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals3" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- admin
- MyOtherRole
- MyRole
- obama
- userwithlotsofpermissions
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-3" href="#card-element-aws-action3">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action3" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "cloudwatch:DeleteAlarms",
    "cloudwatch:DeleteDashboards",
    "cloudwatch:DeleteInsightRules",
    "cloudwatch:DisableAlarmActions",
    "cloudwatch:DisableInsightRules",
    "cloudwatch:EnableAlarmActions",
    "cloudwatch:EnableInsightRules",
    "cloudwatch:PutDashboard",
    "cloudwatch:PutInsightRule",
    "cloudwatch:PutMetricAlarm",
    "cloudwatch:SetAlarmState",
    "cloudwatch:TagResource",
    "cloudwatch:UntagResource",
    "cognito-sync:SetCognitoEvents",
    "dynamodb:BatchWriteItem",
    "dynamodb:CreateBackup",
    "dynamodb:CreateGlobalTable",
    "dynamodb:CreateTable",
    "dynamodb:CreateTableReplica",
    "dynamodb:DeleteBackup",
    "dynamodb:DeleteItem",
    "dynamodb:DeleteTable",
    "dynamodb:DeleteTableReplica",
    "dynamodb:PutItem",
    "dynamodb:RestoreTableFromBackup",
    "dynamodb:RestoreTableToPointInTime",
    "dynamodb:TagResource",
    "dynamodb:UntagResource",
    "dynamodb:UpdateContinuousBackups",
    "dynamodb:UpdateContributorInsights",
    "dynamodb:UpdateGlobalTable",
    "dynamodb:UpdateGlobalTableSettings",
    "dynamodb:UpdateItem",
    "dynamodb:UpdateTable",
    "dynamodb:UpdateTableReplicaAutoScaling",
    "dynamodb:UpdateTimeToLive",
    "events:ActivateEventSource",
    "events:CreateEventBus",
    "events:CreatePartnerEventSource",
    "events:DeactivateEventSource",
    "events:DeleteEventBus",
    "events:DeletePartnerEventSource",
    "events:DeleteRule",
    "events:DisableRule",
    "events:EnableRule",
    "events:PutRule",
    "events:PutTargets",
    "events:RemoveTargets",
    "events:TagResource",
    "events:UntagResource",
    "iam:PassRole",
    "iot:AttachPrincipalPolicy",
    "iot:CreateThing",
    "iot:CreateTopicRule",
    "iot:ReplaceTopicRule",
    "kinesis:PutRecord",
    "lambda:AddLayerVersionPermission",
    "lambda:AddPermission",
    "lambda:CreateAlias",
    "lambda:CreateFunction",
    "lambda:DeleteAlias",
    "lambda:DeleteEventSourceMapping",
    "lambda:DeleteFunction",
    "lambda:DeleteFunctionConcurrency",
    "lambda:DeleteFunctionEventInvokeConfig",
    "lambda:DeleteLayerVersion",
    "lambda:DeleteProvisionedConcurrencyConfig",
    "lambda:DisableReplication",
    "lambda:EnableReplication",
    "lambda:InvokeAsync",
    "lambda:InvokeFunction",
    "lambda:PublishLayerVersion",
    "lambda:PublishVersion",
    "lambda:PutFunctionConcurrency",
    "lambda:PutFunctionEventInvokeConfig",
    "lambda:PutProvisionedConcurrencyConfig",
    "lambda:RemoveLayerVersionPermission",
    "lambda:RemovePermission",
    "lambda:TagResource",
    "lambda:UntagResource",
    "lambda:UpdateAlias",
    "lambda:UpdateEventSourceMapping",
    "lambda:UpdateFunctionCode",
    "lambda:UpdateFunctionConfiguration",
    "lambda:UpdateFunctionEventInvokeConfig",
    "logs:AssociateKmsKey",
    "logs:CreateExportTask",
    "logs:CreateLogStream",
    "logs:DeleteLogGroup",
    "logs:DeleteLogStream",
    "logs:DeleteMetricFilter",
    "logs:DeleteRetentionPolicy",
    "logs:DeleteSubscriptionFilter",
    "logs:DisassociateKmsKey",
    "logs:PutLogEvents",
    "logs:PutMetricFilter",
    "logs:PutRetentionPolicy",
    "logs:PutSubscriptionFilter",
    "logs:TagLogGroup",
    "logs:UntagLogGroup",
    "s3:AbortMultipartUpload",
    "s3:BypassGovernanceRetention",
    "s3:CreateAccessPoint",
    "s3:CreateBucket",
    "s3:DeleteAccessPoint",
    "s3:DeleteAccessPointPolicy",
    "s3:DeleteBucket",
    "s3:DeleteBucketPolicy",
    "s3:DeleteBucketWebsite",
    "s3:DeleteObject",
    "s3:DeleteObjectTagging",
    "s3:DeleteObjectVersion",
    "s3:DeleteObjectVersionTagging",
    "s3:GetObject",
    "s3:ObjectOwnerOverrideToBucketOwner",
    "s3:PutAccelerateConfiguration",
    "s3:PutAccessPointPolicy",
    "s3:PutAnalyticsConfiguration",
    "s3:PutBucketAcl",
    "s3:PutBucketCORS",
    "s3:PutBucketLogging",
    "s3:PutBucketNotification",
    "s3:PutBucketObjectLockConfiguration",
    "s3:PutBucketPolicy",
    "s3:PutBucketPublicAccessBlock",
    "s3:PutBucketRequestPayment",
    "s3:PutBucketTagging",
    "s3:PutBucketVersioning",
    "s3:PutBucketWebsite",
    "s3:PutEncryptionConfiguration",
    "s3:PutInventoryConfiguration",
    "s3:PutLifecycleConfiguration",
    "s3:PutMetricsConfiguration",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:PutObjectLegalHold",
    "s3:PutObjectRetention",
    "s3:PutObjectTagging",
    "s3:PutObjectVersionAcl",
    "s3:PutObjectVersionTagging",
    "s3:PutReplicationConfiguration",
    "s3:ReplicateDelete",
    "s3:ReplicateObject",
    "s3:ReplicateTags",
    "s3:RestoreObject",
    "s3:UpdateJobPriority",
    "s3:UpdateJobStatus",
    "sns:Publish",
    "sns:Subscribe",
    "sqs:SendMessage"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-3" href="#card-element-aws-risks3">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks3" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">


        <!--Privilege Escalation-->
        <div class="col-sm border">
  Privilege Escalation methods <a href="#definition-privilege-escalation"><small>[link]</small></a>
            <pre><code>

- Method: PassExistingRoleToNewLambdaThenInvoke
Actions:
- iam:passrole
- lambda:createfunction
- lambda:invokefunction

- Method: PassExistingRoleToNewLambdaThenTriggerWithNewDynamo
Actions:
- iam:passrole
- lambda:createfunction
- lambda:createeventsourcemapping
- dynamodb:createtable
- dynamodb:putitem

- Method: PassExistingRoleToNewLambdaThenTriggerWithExistingDynamo
Actions:
- iam:passrole
- lambda:createfunction
- lambda:createeventsourcemapping

- Method: EditExistingLambdaFunctionWithRole
Actions:
- lambda:updatefunctioncode

            </code></pre>
        </div>


        <!--Data Exfiltration-->
        <div class="col-sm border">
  <p>Data Exfiltration actions <a href="#definition-data-exfiltration"><small>[link]</small></a>
          <pre><code>
[
  "s3:GetObject"
]
          </code></pre>
        </div>


        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "iam:PassRole",
  "iot:AttachPrincipalPolicy",
  "lambda:AddLayerVersionPermission",
  "lambda:AddPermission",
  "lambda:DisableReplication",
  "lambda:EnableReplication",
  "lambda:RemoveLayerVersionPermission",
  "lambda:RemovePermission",
  "logs:DeleteResourcePolicy",
  "logs:PutResourcePolicy",
  "s3:BypassGovernanceRetention",
  "s3:DeleteAccessPointPolicy",
  "s3:DeleteBucketPolicy",
  "s3:ObjectOwnerOverrideToBucketOwner",
  "s3:PutAccessPointPolicy",
  "s3:PutAccountPublicAccessBlock",
  "s3:PutBucketAcl",
  "s3:PutBucketPolicy",
  "s3:PutBucketPublicAccessBlock",
  "s3:PutObjectAcl",
  "s3:PutObjectVersionAcl"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AmazonEC2FullAccess">Policy: AmazonEC2FullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 5
      <br>
      Infrastructure Modification Actions: 198
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->



          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-4">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-4" href="#card-element-aws-doc-4">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-4" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "elasticloadbalancing:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "cloudwatch:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "autoscaling:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "ec2scheduled.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "transitgateway.amazonaws.com"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-4" href="#card-element-aws-doc-principals4">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals4" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- obama
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-4" href="#card-element-aws-action4">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action4" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "autoscaling:AttachInstances",
    "autoscaling:AttachLoadBalancerTargetGroups",
    "autoscaling:AttachLoadBalancers",
    "autoscaling:BatchDeleteScheduledAction",
    "autoscaling:BatchPutScheduledUpdateGroupAction",
    "autoscaling:CompleteLifecycleAction",
    "autoscaling:CreateAutoScalingGroup",
    "autoscaling:CreateLaunchConfiguration",
    "autoscaling:CreateOrUpdateTags",
    "autoscaling:DeleteAutoScalingGroup",
    "autoscaling:DeleteLaunchConfiguration",
    "autoscaling:DeleteLifecycleHook",
    "autoscaling:DeleteNotificationConfiguration",
    "autoscaling:DeletePolicy",
    "autoscaling:DeleteScheduledAction",
    "autoscaling:DeleteTags",
    "autoscaling:DetachInstances",
    "autoscaling:DetachLoadBalancerTargetGroups",
    "autoscaling:DetachLoadBalancers",
    "autoscaling:DisableMetricsCollection",
    "autoscaling:EnableMetricsCollection",
    "autoscaling:EnterStandby",
    "autoscaling:ExecutePolicy",
    "autoscaling:ExitStandby",
    "autoscaling:PutLifecycleHook",
    "autoscaling:PutNotificationConfiguration",
    "autoscaling:PutScalingPolicy",
    "autoscaling:PutScheduledUpdateGroupAction",
    "autoscaling:RecordLifecycleActionHeartbeat",
    "autoscaling:ResumeProcesses",
    "autoscaling:SetDesiredCapacity",
    "autoscaling:SetInstanceHealth",
    "autoscaling:SetInstanceProtection",
    "autoscaling:SuspendProcesses",
    "autoscaling:TerminateInstanceInAutoScalingGroup",
    "autoscaling:UpdateAutoScalingGroup",
    "cloudwatch:DeleteAlarms",
    "cloudwatch:DeleteDashboards",
    "cloudwatch:DeleteInsightRules",
    "cloudwatch:DisableAlarmActions",
    "cloudwatch:DisableInsightRules",
    "cloudwatch:EnableAlarmActions",
    "cloudwatch:EnableInsightRules",
    "cloudwatch:PutDashboard",
    "cloudwatch:PutInsightRule",
    "cloudwatch:PutMetricAlarm",
    "cloudwatch:SetAlarmState",
    "cloudwatch:TagResource",
    "cloudwatch:UntagResource",
    "ec2:AcceptTransitGatewayPeeringAttachment",
    "ec2:AcceptTransitGatewayVpcAttachment",
    "ec2:AcceptVpcEndpointConnections",
    "ec2:AcceptVpcPeeringConnection",
    "ec2:AllocateHosts",
    "ec2:ApplySecurityGroupsToClientVpnTargetNetwork",
    "ec2:AssociateClientVpnTargetNetwork",
    "ec2:AssociateIamInstanceProfile",
    "ec2:AssociateTransitGatewayMulticastDomain",
    "ec2:AssociateTransitGatewayRouteTable",
    "ec2:AttachClassicLinkVpc",
    "ec2:AttachVolume",
    "ec2:AuthorizeClientVpnIngress",
    "ec2:AuthorizeSecurityGroupEgress",
    "ec2:AuthorizeSecurityGroupIngress",
    "ec2:CancelCapacityReservation",
    "ec2:CopySnapshot",
    "ec2:CreateClientVpnEndpoint",
    "ec2:CreateClientVpnRoute",
    "ec2:CreateFlowLogs",
    "ec2:CreateLaunchTemplateVersion",
    "ec2:CreateLocalGatewayRoute",
    "ec2:CreateLocalGatewayRouteTableVpcAssociation",
    "ec2:CreateNetworkInterfacePermission",
    "ec2:CreateRoute",
    "ec2:CreateSnapshot",
    "ec2:CreateSnapshots",
    "ec2:CreateTags",
    "ec2:CreateTrafficMirrorFilter",
    "ec2:CreateTrafficMirrorFilterRule",
    "ec2:CreateTrafficMirrorSession",
    "ec2:CreateTrafficMirrorTarget",
    "ec2:CreateTransitGateway",
    "ec2:CreateTransitGatewayMulticastDomain",
    "ec2:CreateTransitGatewayPeeringAttachment",
    "ec2:CreateTransitGatewayRoute",
    "ec2:CreateTransitGatewayRouteTable",
    "ec2:CreateTransitGatewayVpcAttachment",
    "ec2:CreateVolume",
    "ec2:CreateVpcEndpoint",
    "ec2:CreateVpcEndpointServiceConfiguration",
    "ec2:CreateVpcPeeringConnection",
    "ec2:CreateVpnConnection",
    "ec2:DeleteClientVpnEndpoint",
    "ec2:DeleteClientVpnRoute",
    "ec2:DeleteCustomerGateway",
    "ec2:DeleteDhcpOptions",
    "ec2:DeleteInternetGateway",
    "ec2:DeleteLaunchTemplate",
    "ec2:DeleteLaunchTemplateVersions",
    "ec2:DeleteLocalGatewayRoute",
    "ec2:DeleteLocalGatewayRouteTableVpcAssociation",
    "ec2:DeleteNetworkAcl",
    "ec2:DeleteNetworkAclEntry",
    "ec2:DeleteRoute",
    "ec2:DeleteRouteTable",
    "ec2:DeleteSecurityGroup",
    "ec2:DeleteSnapshot",
    "ec2:DeleteTags",
    "ec2:DeleteTrafficMirrorFilter",
    "ec2:DeleteTrafficMirrorFilterRule",
    "ec2:DeleteTrafficMirrorSession",
    "ec2:DeleteTrafficMirrorTarget",
    "ec2:DeleteTransitGateway",
    "ec2:DeleteTransitGatewayMulticastDomain",
    "ec2:DeleteTransitGatewayPeeringAttachment",
    "ec2:DeleteTransitGatewayRoute",
    "ec2:DeleteTransitGatewayRouteTable",
    "ec2:DeleteTransitGatewayVpcAttachment",
    "ec2:DeleteVolume",
    "ec2:DeleteVpcEndpointServiceConfigurations",
    "ec2:DeleteVpcEndpoints",
    "ec2:DeleteVpcPeeringConnection",
    "ec2:DeregisterTransitGatewayMulticastGroupMembers",
    "ec2:DeregisterTransitGatewayMulticastGroupSources",
    "ec2:DetachClassicLinkVpc",
    "ec2:DetachVolume",
    "ec2:DisableFastSnapshotRestores",
    "ec2:DisableTransitGatewayRouteTablePropagation",
    "ec2:DisableVpcClassicLink",
    "ec2:DisassociateClientVpnTargetNetwork",
    "ec2:DisassociateIamInstanceProfile",
    "ec2:DisassociateTransitGatewayMulticastDomain",
    "ec2:DisassociateTransitGatewayRouteTable",
    "ec2:EnableFastSnapshotRestores",
    "ec2:EnableTransitGatewayRouteTablePropagation",
    "ec2:EnableVpcClassicLink",
    "ec2:ImportClientVpnClientCertificateRevocationList",
    "ec2:ModifyCapacityReservation",
    "ec2:ModifyClientVpnEndpoint",
    "ec2:ModifyInstanceCreditSpecification",
    "ec2:ModifyInstanceEventStartTime",
    "ec2:ModifyLaunchTemplate",
    "ec2:ModifySnapshotAttribute",
    "ec2:ModifyTrafficMirrorFilterNetworkServices",
    "ec2:ModifyTrafficMirrorFilterRule",
    "ec2:ModifyTrafficMirrorSession",
    "ec2:ModifyTransitGatewayVpcAttachment",
    "ec2:ModifyVpcEndpoint",
    "ec2:ModifyVpcEndpointServiceConfiguration",
    "ec2:ModifyVpcEndpointServicePermissions",
    "ec2:ModifyVpnConnection",
    "ec2:ModifyVpnTunnelOptions",
    "ec2:RebootInstances",
    "ec2:RegisterTransitGatewayMulticastGroupMembers",
    "ec2:RegisterTransitGatewayMulticastGroupSources",
    "ec2:RejectTransitGatewayPeeringAttachment",
    "ec2:RejectTransitGatewayVpcAttachment",
    "ec2:RejectVpcEndpointConnections",
    "ec2:RejectVpcPeeringConnection",
    "ec2:ReplaceIamInstanceProfileAssociation",
    "ec2:ReplaceRoute",
    "ec2:ReplaceTransitGatewayRoute",
    "ec2:RevokeClientVpnIngress",
    "ec2:RevokeSecurityGroupEgress",
    "ec2:RevokeSecurityGroupIngress",
    "ec2:RunInstances",
    "ec2:SendDiagnosticInterrupt",
    "ec2:StartInstances",
    "ec2:StartVpcEndpointServicePrivateDnsVerification",
    "ec2:StopInstances",
    "ec2:TerminateClientVpnConnections",
    "ec2:TerminateInstances",
    "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
    "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
    "elasticloadbalancing:AddListenerCertificates",
    "elasticloadbalancing:AddTags",
    "elasticloadbalancing:CreateListener",
    "elasticloadbalancing:CreateLoadBalancer",
    "elasticloadbalancing:CreateRule",
    "elasticloadbalancing:CreateTargetGroup",
    "elasticloadbalancing:DeleteListener",
    "elasticloadbalancing:DeleteLoadBalancer",
    "elasticloadbalancing:DeleteRule",
    "elasticloadbalancing:DeleteTargetGroup",
    "elasticloadbalancing:DeregisterTargets",
    "elasticloadbalancing:ModifyListener",
    "elasticloadbalancing:ModifyLoadBalancerAttributes",
    "elasticloadbalancing:ModifyRule",
    "elasticloadbalancing:ModifyTargetGroup",
    "elasticloadbalancing:ModifyTargetGroupAttributes",
    "elasticloadbalancing:RegisterTargets",
    "elasticloadbalancing:RemoveListenerCertificates",
    "elasticloadbalancing:RemoveTags",
    "elasticloadbalancing:SetIpAddressType",
    "elasticloadbalancing:SetRulePriorities",
    "elasticloadbalancing:SetSecurityGroups",
    "elasticloadbalancing:SetSubnets",
    "iam:CreateServiceLinkedRole"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-4" href="#card-element-aws-risks4">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks4" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">




        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "ec2:CreateNetworkInterfacePermission",
  "ec2:DeleteNetworkInterfacePermission",
  "ec2:ModifySnapshotAttribute",
  "ec2:ModifyVpcEndpointServicePermissions",
  "ec2:ResetSnapshotAttribute",
  "iam:CreateServiceLinkedRole"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AmazonRDSFullAccess">Policy: AmazonRDSFullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 4
      <br>
      Infrastructure Modification Actions: 84
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->



          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-5">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-5" href="#card-element-aws-doc-5">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-5" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "rds:*",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DeleteAlarms",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "pi:*",
            "Effect": "Allow",
            "Resource": "arn:aws:pi:*:*:metrics/rds/*"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": [
                        "rds.amazonaws.com",
                        "rds.application-autoscaling.amazonaws.com"
                    ]
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-5" href="#card-element-aws-doc-principals5">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals5" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- userwithlotsofpermissions
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-5" href="#card-element-aws-action5">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action5" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "cloudwatch:DeleteAlarms",
    "cloudwatch:PutMetricAlarm",
    "iam:CreateServiceLinkedRole",
    "rds:AddRoleToDBCluster",
    "rds:AddRoleToDBInstance",
    "rds:AddSourceIdentifierToSubscription",
    "rds:AddTagsToResource",
    "rds:ApplyPendingMaintenanceAction",
    "rds:AuthorizeDBSecurityGroupIngress",
    "rds:BacktrackDBCluster",
    "rds:CopyDBClusterParameterGroup",
    "rds:CopyDBClusterSnapshot",
    "rds:CopyDBParameterGroup",
    "rds:CopyDBSnapshot",
    "rds:CopyOptionGroup",
    "rds:CreateDBCluster",
    "rds:CreateDBClusterEndpoint",
    "rds:CreateDBClusterParameterGroup",
    "rds:CreateDBClusterSnapshot",
    "rds:CreateDBInstance",
    "rds:CreateDBInstanceReadReplica",
    "rds:CreateDBParameterGroup",
    "rds:CreateDBSecurityGroup",
    "rds:CreateDBSnapshot",
    "rds:CreateDBSubnetGroup",
    "rds:CreateEventSubscription",
    "rds:CreateGlobalCluster",
    "rds:CreateOptionGroup",
    "rds:DeleteDBCluster",
    "rds:DeleteDBClusterEndpoint",
    "rds:DeleteDBClusterParameterGroup",
    "rds:DeleteDBClusterSnapshot",
    "rds:DeleteDBInstance",
    "rds:DeleteDBParameterGroup",
    "rds:DeleteDBProxy",
    "rds:DeleteDBSecurityGroup",
    "rds:DeleteDBSnapshot",
    "rds:DeleteDBSubnetGroup",
    "rds:DeleteEventSubscription",
    "rds:DeleteGlobalCluster",
    "rds:DeleteOptionGroup",
    "rds:DeregisterDBProxyTargets",
    "rds:FailoverDBCluster",
    "rds:ModifyCurrentDBClusterCapacity",
    "rds:ModifyDBCluster",
    "rds:ModifyDBClusterEndpoint",
    "rds:ModifyDBClusterParameterGroup",
    "rds:ModifyDBClusterSnapshotAttribute",
    "rds:ModifyDBInstance",
    "rds:ModifyDBParameterGroup",
    "rds:ModifyDBProxy",
    "rds:ModifyDBProxyTargetGroup",
    "rds:ModifyDBSnapshot",
    "rds:ModifyDBSnapshotAttribute",
    "rds:ModifyDBSubnetGroup",
    "rds:ModifyEventSubscription",
    "rds:ModifyGlobalCluster",
    "rds:ModifyOptionGroup",
    "rds:PromoteReadReplica",
    "rds:PromoteReadReplicaDBCluster",
    "rds:PurchaseReservedDBInstancesOffering",
    "rds:RebootDBInstance",
    "rds:RegisterDBProxyTargets",
    "rds:RemoveFromGlobalCluster",
    "rds:RemoveRoleFromDBCluster",
    "rds:RemoveRoleFromDBInstance",
    "rds:RemoveSourceIdentifierFromSubscription",
    "rds:RemoveTagsFromResource",
    "rds:ResetDBClusterParameterGroup",
    "rds:ResetDBParameterGroup",
    "rds:RestoreDBClusterFromS3",
    "rds:RestoreDBClusterFromSnapshot",
    "rds:RestoreDBClusterToPointInTime",
    "rds:RestoreDBInstanceFromDBSnapshot",
    "rds:RestoreDBInstanceFromS3",
    "rds:RestoreDBInstanceToPointInTime",
    "rds:RevokeDBSecurityGroupIngress",
    "rds:StartActivityStream",
    "rds:StartDBCluster",
    "rds:StartDBInstance",
    "rds:StopActivityStream",
    "rds:StopDBCluster",
    "rds:StopDBInstance",
    "sns:Publish"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-5" href="#card-element-aws-risks5">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks5" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">




        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "rds:AuthorizeDBSecurityGroupIngress",
  "iam:CreateServiceLinkedRole"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AmazonS3FullAccess">Policy: AmazonS3FullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 47
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->


          <div class="alert alert-warning" role="alert">Data Exfiltration</div>


          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-6">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-6" href="#card-element-aws-doc-6">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-6" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-6" href="#card-element-aws-doc-principals6">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals6" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- obama
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-6" href="#card-element-aws-action6">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action6" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "s3:AbortMultipartUpload",
    "s3:BypassGovernanceRetention",
    "s3:CreateAccessPoint",
    "s3:CreateBucket",
    "s3:DeleteAccessPoint",
    "s3:DeleteAccessPointPolicy",
    "s3:DeleteBucket",
    "s3:DeleteBucketPolicy",
    "s3:DeleteBucketWebsite",
    "s3:DeleteObject",
    "s3:DeleteObjectTagging",
    "s3:DeleteObjectVersion",
    "s3:DeleteObjectVersionTagging",
    "s3:GetObject",
    "s3:ObjectOwnerOverrideToBucketOwner",
    "s3:PutAccelerateConfiguration",
    "s3:PutAccessPointPolicy",
    "s3:PutAnalyticsConfiguration",
    "s3:PutBucketAcl",
    "s3:PutBucketCORS",
    "s3:PutBucketLogging",
    "s3:PutBucketNotification",
    "s3:PutBucketObjectLockConfiguration",
    "s3:PutBucketPolicy",
    "s3:PutBucketPublicAccessBlock",
    "s3:PutBucketRequestPayment",
    "s3:PutBucketTagging",
    "s3:PutBucketVersioning",
    "s3:PutBucketWebsite",
    "s3:PutEncryptionConfiguration",
    "s3:PutInventoryConfiguration",
    "s3:PutLifecycleConfiguration",
    "s3:PutMetricsConfiguration",
    "s3:PutObject",
    "s3:PutObjectAcl",
    "s3:PutObjectLegalHold",
    "s3:PutObjectRetention",
    "s3:PutObjectTagging",
    "s3:PutObjectVersionAcl",
    "s3:PutObjectVersionTagging",
    "s3:PutReplicationConfiguration",
    "s3:ReplicateDelete",
    "s3:ReplicateObject",
    "s3:ReplicateTags",
    "s3:RestoreObject",
    "s3:UpdateJobPriority",
    "s3:UpdateJobStatus"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-6" href="#card-element-aws-risks6">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks6" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">



        <!--Data Exfiltration-->
        <div class="col-sm border">
  <p>Data Exfiltration actions <a href="#definition-data-exfiltration"><small>[link]</small></a>
          <pre><code>
[
  "s3:GetObject"
]
          </code></pre>
        </div>


        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "s3:BypassGovernanceRetention",
  "s3:DeleteAccessPointPolicy",
  "s3:DeleteBucketPolicy",
  "s3:ObjectOwnerOverrideToBucketOwner",
  "s3:PutAccessPointPolicy",
  "s3:PutAccountPublicAccessBlock",
  "s3:PutBucketAcl",
  "s3:PutBucketPolicy",
  "s3:PutBucketPublicAccessBlock",
  "s3:PutObjectAcl",
  "s3:PutObjectVersionAcl"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AmazonS3ReadOnlyAccess">Policy: AmazonS3ReadOnlyAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 1
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->


          <div class="alert alert-warning" role="alert">Data Exfiltration</div>



      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-7">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-7" href="#card-element-aws-doc-7">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-7" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-7" href="#card-element-aws-doc-principals7">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals7" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- userwithlotsofpermissions
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-7" href="#card-element-aws-action7">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action7" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "s3:GetObject"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-7" href="#card-element-aws-risks7">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks7" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">



        <!--Data Exfiltration-->
        <div class="col-sm border">
  <p>Data Exfiltration actions <a href="#definition-data-exfiltration"><small>[link]</small></a>
          <pre><code>
[
  "s3:GetObject"
]
          </code></pre>
        </div>


      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="AmazonSESFullAccess">Policy: AmazonSESFullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 21
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->




      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-8">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-8" href="#card-element-aws-doc-8">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-8" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "ses:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-8" href="#card-element-aws-doc-principals8">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals8" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- userwithlotsofpermissions
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-8" href="#card-element-aws-action8">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action8" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "ses:CreateConfigurationSet",
    "ses:CreateConfigurationSetEventDestination",
    "ses:CreateDedicatedIpPool",
    "ses:CreateDeliverabilityTestReport",
    "ses:CreateEmailIdentity",
    "ses:DeleteConfigurationSet",
    "ses:DeleteConfigurationSetEventDestination",
    "ses:DeleteDedicatedIpPool",
    "ses:DeleteEmailIdentity",
    "ses:PutConfigurationSetDeliveryOptions",
    "ses:PutConfigurationSetReputationOptions",
    "ses:PutConfigurationSetSendingOptions",
    "ses:PutConfigurationSetTrackingOptions",
    "ses:PutDedicatedIpInPool",
    "ses:PutEmailIdentityDkimAttributes",
    "ses:PutEmailIdentityFeedbackAttributes",
    "ses:PutEmailIdentityMailFromAttributes",
    "ses:SendEmail",
    "ses:TagResource",
    "ses:UntagResource",
    "ses:UpdateConfigurationSetEventDestination"
]
          </code></pre>
        </div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>



<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="CloudWatchFullAccess">Policy: CloudWatchFullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 3
      <br>
      Infrastructure Modification Actions: 38
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->



          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-9">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-9" href="#card-element-aws-doc-9">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-9" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "autoscaling:Describe*",
                "cloudwatch:*",
                "logs:*",
                "sns:*",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "events.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-9" href="#card-element-aws-doc-principals9">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals9" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- MyRole
- obama
- userwithlotsofpermissions
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-9" href="#card-element-aws-action9">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action9" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "cloudwatch:DeleteAlarms",
    "cloudwatch:DeleteDashboards",
    "cloudwatch:DeleteInsightRules",
    "cloudwatch:DisableAlarmActions",
    "cloudwatch:DisableInsightRules",
    "cloudwatch:EnableAlarmActions",
    "cloudwatch:EnableInsightRules",
    "cloudwatch:PutDashboard",
    "cloudwatch:PutInsightRule",
    "cloudwatch:PutMetricAlarm",
    "cloudwatch:SetAlarmState",
    "cloudwatch:TagResource",
    "cloudwatch:UntagResource",
    "logs:AssociateKmsKey",
    "logs:CreateExportTask",
    "logs:CreateLogStream",
    "logs:DeleteLogGroup",
    "logs:DeleteLogStream",
    "logs:DeleteMetricFilter",
    "logs:DeleteRetentionPolicy",
    "logs:DeleteSubscriptionFilter",
    "logs:DisassociateKmsKey",
    "logs:PutLogEvents",
    "logs:PutMetricFilter",
    "logs:PutRetentionPolicy",
    "logs:PutSubscriptionFilter",
    "logs:TagLogGroup",
    "logs:UntagLogGroup",
    "sns:AddPermission",
    "sns:ConfirmSubscription",
    "sns:CreateTopic",
    "sns:DeleteTopic",
    "sns:Publish",
    "sns:RemovePermission",
    "sns:SetTopicAttributes",
    "sns:Subscribe",
    "sns:TagResource",
    "sns:UntagResource"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-9" href="#card-element-aws-risks9">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks9" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">




        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "logs:DeleteResourcePolicy",
  "logs:PutResourcePolicy",
  "sns:AddPermission",
  "sns:CreateTopic",
  "sns:RemovePermission",
  "sns:SetTopicAttributes"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>





<br>
<div class="row">
  <div class="col-md-5">
    <div class="card">
  <h6 class="card-header" id="IAMFullAccess">Policy: IAMFullAccess</h6>
    <div class="card-body">
    <p class="card-text">
      Services: 1
      <br>
      Infrastructure Modification Actions: 78
      <br>

    </p>
    </div> <!-- /card-text -->
      <div class="card-footer"> <!-- card-footer: Where we store risk category indicators -->

          <div class="alert alert-danger" role="alert">Privilege Escalation</div>



          <div class="alert alert-danger" role="alert">Resource Exposure</div>


      </div><!-- /card-footer -->
   </div><!-- /card -->
<br>
<br>
  </div>
  <div class="col-md-7">
    <div id="card-aws-11">
    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-11" href="#card-element-aws-doc-11">Policy Document</a>
      </div>
      <div id="card-element-aws-doc-11" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>
{
    "Statement": [
        {
            "Action": [
                "iam:*",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListPoliciesForTarget",
                "organizations:ListRoots",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
</code></pre>
        </div>
      </div>
    </div>

        <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-11" href="#card-element-aws-doc-principals11">Attached to Principals</a>
      </div>
      <div id="card-element-aws-doc-principals11" class="panel-collapse collapse">
        <div class="card-body">
<pre><code>

- userwithlotsofpermissions
</code></pre>
        </div>
      </div>
    </div>
      <!--/attached to principals-->


    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-11" href="#card-element-aws-action11">Infrastructure Modification Actions</a>
      </div>
      <div id="card-element-aws-action11" class="panel-collapse collapse">
        <div class="card-body">
          <pre><code>
[
    "iam:AddClientIDToOpenIDConnectProvider",
    "iam:AddRoleToInstanceProfile",
    "iam:AddUserToGroup",
    "iam:AttachGroupPolicy",
    "iam:AttachRolePolicy",
    "iam:AttachUserPolicy",
    "iam:ChangePassword",
    "iam:CreateAccessKey",
    "iam:CreateGroup",
    "iam:CreateInstanceProfile",
    "iam:CreateLoginProfile",
    "iam:CreateOpenIDConnectProvider",
    "iam:CreatePolicy",
    "iam:CreatePolicyVersion",
    "iam:CreateRole",
    "iam:CreateSAMLProvider",
    "iam:CreateServiceLinkedRole",
    "iam:CreateServiceSpecificCredential",
    "iam:CreateUser",
    "iam:CreateVirtualMFADevice",
    "iam:DeactivateMFADevice",
    "iam:DeleteAccessKey",
    "iam:DeleteGroup",
    "iam:DeleteGroupPolicy",
    "iam:DeleteInstanceProfile",
    "iam:DeleteLoginProfile",
    "iam:DeleteOpenIDConnectProvider",
    "iam:DeletePolicy",
    "iam:DeletePolicyVersion",
    "iam:DeleteRole",
    "iam:DeleteRolePermissionsBoundary",
    "iam:DeleteRolePolicy",
    "iam:DeleteSAMLProvider",
    "iam:DeleteSSHPublicKey",
    "iam:DeleteServerCertificate",
    "iam:DeleteServiceLinkedRole",
    "iam:DeleteServiceSpecificCredential",
    "iam:DeleteSigningCertificate",
    "iam:DeleteUser",
    "iam:DeleteUserPermissionsBoundary",
    "iam:DeleteUserPolicy",
    "iam:DeleteVirtualMFADevice",
    "iam:DetachGroupPolicy",
    "iam:DetachRolePolicy",
    "iam:DetachUserPolicy",
    "iam:EnableMFADevice",
    "iam:PassRole",
    "iam:PutGroupPolicy",
    "iam:PutRolePermissionsBoundary",
    "iam:PutRolePolicy",
    "iam:PutUserPermissionsBoundary",
    "iam:PutUserPolicy",
    "iam:RemoveClientIDFromOpenIDConnectProvider",
    "iam:RemoveRoleFromInstanceProfile",
    "iam:RemoveUserFromGroup",
    "iam:ResetServiceSpecificCredential",
    "iam:ResyncMFADevice",
    "iam:SetDefaultPolicyVersion",
    "iam:TagRole",
    "iam:TagUser",
    "iam:UntagRole",
    "iam:UntagUser",
    "iam:UpdateAccessKey",
    "iam:UpdateAssumeRolePolicy",
    "iam:UpdateGroup",
    "iam:UpdateLoginProfile",
    "iam:UpdateOpenIDConnectProviderThumbprint",
    "iam:UpdateRole",
    "iam:UpdateRoleDescription",
    "iam:UpdateSAMLProvider",
    "iam:UpdateSSHPublicKey",
    "iam:UpdateServerCertificate",
    "iam:UpdateServiceSpecificCredential",
    "iam:UpdateSigningCertificate",
    "iam:UpdateUser",
    "iam:UploadSSHPublicKey",
    "iam:UploadServerCertificate",
    "iam:UploadSigningCertificate"
]
          </code></pre>
        </div>
      </div>
    </div>

    <div class="card">
      <div class="card-header">
        <a class="card-link" data-toggle="collapse" data-parent="#card-aws-11" href="#card-element-aws-risks11">High Priority risks</a>
      </div>
      <div id="card-element-aws-risks11" class="panel-collapse collapse">
        <div class="card-body">
  <div class="grid">
      <div class="row">


        <!--Privilege Escalation-->
        <div class="col-sm border">
  Privilege Escalation methods <a href="#definition-privilege-escalation"><small>[link]</small></a>
            <pre><code>

- Method: CreateAccessKey
Actions:
- iam:createaccesskey

- Method: CreateLoginProfile
Actions:
- iam:createloginprofile

- Method: UpdateLoginProfile
Actions:
- iam:updateloginprofile

- Method: CreateNewPolicyVersion
Actions:
- iam:createpolicyversion

- Method: SetExistingDefaultPolicyVersion
Actions:
- iam:setdefaultpolicyversion

- Method: AttachUserPolicy
Actions:
- iam:attachuserpolicy

- Method: AttachGroupPolicy
Actions:
- iam:attachgrouppolicy

- Method: PutUserPolicy
Actions:
- iam:putuserpolicy

- Method: PutGroupPolicy
Actions:
- iam:putgrouppolicy

- Method: AddUserToGroup
Actions:
- iam:addusertogroup

            </code></pre>
        </div>



        <!--Resource Exposure-->
        <div class="col-sm border">
  <p>Resource Exposure actions <a href="#definition-resource-exposure"><small>[link]</small></a></p>
          <pre><code>
[
  "iam:AddClientIDToOpenIDConnectProvider",
  "iam:AddRoleToInstanceProfile",
  "iam:AddUserToGroup",
  "iam:AttachGroupPolicy",
  "iam:AttachRolePolicy",
  "iam:AttachUserPolicy",
  "iam:ChangePassword",
  "iam:CreateAccessKey",
  "iam:CreateAccountAlias",
  "iam:CreateGroup",
  "iam:CreateInstanceProfile",
  "iam:CreateLoginProfile",
  "iam:CreateOpenIDConnectProvider",
  "iam:CreatePolicy",
  "iam:CreatePolicyVersion",
  "iam:CreateRole",
  "iam:CreateSAMLProvider",
  "iam:CreateServiceLinkedRole",
  "iam:CreateServiceSpecificCredential",
  "iam:CreateUser",
  "iam:CreateVirtualMFADevice",
  "iam:DeactivateMFADevice",
  "iam:DeleteAccessKey",
  "iam:DeleteAccountAlias",
  "iam:DeleteAccountPasswordPolicy",
  "iam:DeleteGroup",
  "iam:DeleteGroupPolicy",
  "iam:DeleteInstanceProfile",
  "iam:DeleteLoginProfile",
  "iam:DeleteOpenIDConnectProvider",
  "iam:DeletePolicy",
  "iam:DeletePolicyVersion",
  "iam:DeleteRole",
  "iam:DeleteRolePermissionsBoundary",
  "iam:DeleteRolePolicy",
  "iam:DeleteSAMLProvider",
  "iam:DeleteSSHPublicKey",
  "iam:DeleteServerCertificate",
  "iam:DeleteServiceLinkedRole",
  "iam:DeleteServiceSpecificCredential",
  "iam:DeleteSigningCertificate",
  "iam:DeleteUser",
  "iam:DeleteUserPermissionsBoundary",
  "iam:DeleteUserPolicy",
  "iam:DeleteVirtualMFADevice",
  "iam:DetachGroupPolicy",
  "iam:DetachRolePolicy",
  "iam:DetachUserPolicy",
  "iam:EnableMFADevice",
  "iam:PassRole",
  "iam:PutGroupPolicy",
  "iam:PutRolePermissionsBoundary",
  "iam:PutRolePolicy",
  "iam:PutUserPermissionsBoundary",
  "iam:PutUserPolicy",
  "iam:RemoveClientIDFromOpenIDConnectProvider",
  "iam:RemoveRoleFromInstanceProfile",
  "iam:RemoveUserFromGroup",
  "iam:ResetServiceSpecificCredential",
  "iam:ResyncMFADevice",
  "iam:SetDefaultPolicyVersion",
  "iam:SetSecurityTokenServicePreferences",
  "iam:UpdateAccessKey",
  "iam:UpdateAccountPasswordPolicy",
  "iam:UpdateAssumeRolePolicy",
  "iam:UpdateGroup",
  "iam:UpdateLoginProfile",
  "iam:UpdateOpenIDConnectProviderThumbprint",
  "iam:UpdateRole",
  "iam:UpdateRoleDescription",
  "iam:UpdateSAMLProvider",
  "iam:UpdateSSHPublicKey",
  "iam:UpdateServerCertificate",
  "iam:UpdateServiceSpecificCredential",
  "iam:UpdateSigningCertificate",
  "iam:UpdateUser",
  "iam:UploadSSHPublicKey",
  "iam:UploadServerCertificate",
  "iam:UploadSigningCertificate"
]
          </code></pre>
        </div>

      </div>
  </div>
</div>
      </div>
    </div>

     </div>
  </div><!-- /col for card -->
</div>













          </div><!--/end AWS-MANAGED TAB-->

        </div><!--/end Tab content-->
        </div><!--/end data spy-->


        <hr>
        <br>
        <!--Guidance-->
        <h2 id="guidance">Guidance</h2>
        <div style="text-align: justify" >
<!--Guidance: Triaging-->
<h3 id="triage-guidance">Triaging</h3>
<p>
<div id="triage-understanding-context"> <h5>Understanding Context</h5></div>

<p>It's essential to understand the context behind the findings that the report generates. Understanding the context behind the findings aids the assessor in triaging the results accurately.</p>
<p>This report generates findings on Policies that do not leverage resource constraints and identifies some attributes to help prioritize which ones to address - such as Privilege Escalation, Resource Exposure, and Data Exfiltration. These results help you to identify your IAM threat landscape and reduce blast radius. In the event of credential compromise, you can prevent an attacker from exploiting the risks mentioned above, in addition to preventing mass deletion, destruction, or modification of existing infrastructure.</p>
<p>However, this tool does not attempt to understand the context behind everything in your AWS account. It's possible to understand the context behind some of these things programmatically - whether the policy is applied to an instance profile, whether the policy is attached, whether inline IAM policies are in use, and whether or not AWS Managed Policies are in use. <strong>Only you know the context behind the design of your AWS infrastructure and the IAM strategy</strong>.</p>
<p>For example, an AWS Lambda policy used as a simple service checking the configuration of AWS infrastructure might be a good use case for resource constraints. Conversely, perhaps you applied the AdministratorAccess AWS-managed policy to an Instance Profile so that an EC2 instance can run Terraform to provision AWS resources via Infrastructure as Code. In the second example, the role is extremely permissive <strong>by design</strong> - and a tool can't automatically understand that context.</p>
<p>As such, the tool aims to:
<div id="triage-guidance-description-bullet-points">
<ul>
<li> Map out your risk landscape of IAM identity-based policies, enumerating the potential risks for a full IAM threat model</li>
<li>Identify where you can reduce the blast radius in the case of credentials compromise</li>
<li> Help you prioritize which ones to remediate</li>
<li> Provide a straightforward workflow to remediate</li>
<li> Provide a sufficient exclusions mechanism to programmatically define where deviations from resource constraints are by design</li>
</ul>
</div></p>
<div id="triage-assessment-recap"> <h5>Assessment Recap</h5></div>

<p>To recap: you've followed these steps to generate this report:</p>
<div id="triage-guidance-recap-bullet-points">
<ul>
<li>Downloaded the Account Authorization details JSON file</li>
  <ul>
    <li><code>cloudsplaining download --profile default --output default-account-details.json</code></li>
  </ul>
<li>Generated your custom exclusions file</li>
  <ul><li><code>cloudsplaining create-exclusions-file --output-file exclusions.yml</code></li></ul>
<li>Generated the report</li>
  <ul>
    <li><code>cloudsplaining scan --input default-account-details.json --exclusions-file exclusions.yml</code></li>
    <li>This generates three files: (1) The single-file HTML report, (2) The triage CSV worksheet, and (3) The raw JSON data file</li>
  </ul>
</ul>
</div>

<div id="triage-triaging-workflow"> <h5>Triaging workflow</h5></div>

<p>An assessor can follow this general workflow:</p>
<ul>
<li>Open a ticket in your organization's project management tool of choice (for example, JIRA or Salesforce) in the AWS account owner's project</li>
<li>Attach the HTML report, JSON Data file, and CSV worksheet</li>
<li>Ask the service/account owner team to fill out the Triage worksheet</li>
</ul>

<p>When you ask the service/account owner team to fill out the Triage CSV worksheet, you can use some text like the following:</p>
<blockquote>
<p>As part of our security assessment, our team ran Cloudsplaining on your AWS account. Cloudsplaining maps out the IAM risk landscape in a report, identifies where resource ARN constraints are not in use, and identifies other risks in IAM policies like Privilege Escalation, Data Exfiltration, and Resource Exposure/Permissions management. Remediating these issues, where applicable, will help to limit the blast radius in the case of compromised AWS credentials.
We request that you review the HTML report and fill out the "Justification" field in the Triage worksheet. Based on the corresponding details in the HTML report, provide either (1) A justification on why the result is a False Positive, or (2) Identify that it is a legitimate finding.</p>
</blockquote>
<div id="triage-triaging-considerations"> <h5>Triaging considerations</h5></div>

<p>When triaging your results, consider some of the factors listed below as you identify False Positives vs. legitimate findings. <strong>There are some scenarios where <code>"Resource": "*"</code> access is by design and is therefore a false positive. This section covers some of the common scenarios.</strong></p>
<p><strong>Infrastructure Creation roles</strong>:</p>
<p>IAM roles that create infrastructure via Infrastructure as Code Technologies (for example, Terraform or CloudFormation) require high permission levels to provision AWS infrastructure. These will usually be false positives. When you see these instances, make sure that these roles are adequately protected. For instance, make sure that roles within the AWS account are not able to assume this role or affect its configuration in any way. Additionally, consider restricting the trust policy so that a set of explicitly stated IAM principals are the only ones who can assume that role. Take special care to audit instances of <code>sts:AssumeRole</code> within this AWS account.</p>
<p><strong>System roles vs. User Roles</strong>: System roles - IAM Roles applied to compute services, such as EC2 Instance Profiles, ECS Task Execution roles, or Lambda Task Execution roles - should almost always leverage resource ARN constraints for actions that perform "Write" actions. Exceptions to this could include Infrastructure provisioning or other edge cases.</p>
<p>Conversely, user roles will almost always be used against <code>*</code> resources for the sake of convenience, innovation, and avoiding overly restrictive limitations. In the user role scenario, consider:
<div id="triage-guidance-considerations-pt1-bullet-points">
<ul>
  <li><b>Design context</b>: is it appropriate? (For instance, maybe all your user roles don't need <code>iam:*</code>)</li>
  <li><b>Environment</b>: If this is a Dev environment, frequently-used user roles probably allow more permissions for innovation purposes. However, in later environments - especially production - commonly used user roles should be read-only - or the more permissive ones should be for break-glass scenarios only.</li>
  <li><b>Regardless of the context</b>: there should <b>always</b> be security guardrails in place, like <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html">Service Control Policies through AWS Organizations</a> or <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html">IAM Permissions Boundaries</a> to prevent against egregious mistakes.</li>
</ul>
</div></p>
<p><strong>Organization-specific results</strong></p>
<p>For example, perhaps you allow kms:Decrypt for * resources (by design) in your organization for one reason or another. Cloudsplaining flags this as a result. However, there are mitigating controls in place. Firstly, you leverage strict resource-based KMS key policies to lock down all KMS keys, explicitly stating individual IAM principals that are allowed to use them. Secondly, you provision all KMS keys with CloudFormation or Terraform, so you are confident that this pattern is consistent across all KMS keys in your AWS accounts. Therefore, <code>kms:Decrypt</code> to <code>*</code> resources is not a finding you are concerned about. In this case, you decide it is acceptable to exclude <code>kms:Decrypt</code> from your results.</p>
<div id="triage-common-false-positive-scenarios"> <h5>Common False Positive Scenarios</h5></div>

<p><strong>Conditions Logic</strong>:</p>
<p>This tool does not evaluate <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html">IAM Conditions</a> logic. If your policies use wildcard resources but restrict according to condition keys, then it's possible this is a false positive. However, you might want to double-check the accuracy of the conditions logic in those IAM policies. While IAM conditions can be extremely powerful, implementation is also prone to human error. We suggest leveraging <a href="https://github.com/duo-labs/parliament/">Parliament by Duo Labs</a> (courtesy of <a href="https://twitter.com/0xdabbad00">Scott Piper</a>), to lint your policies for accuracy - especially when IAM conditions are in use.</p>
<p><strong><code>logs:CreateLogGroup</code> and <code>logs:PutLogEvent</code></strong>:</p>
<p>Depending on how your organization approaches CloudWatch Logs Agent configuration, IAM, and CloudWatch Logs Group naming conventions, it is sometimes near-impossible to prevent cross-contamination of logs or Log Injection to the Log Streams from other instance IDs. Cross-Contamination of CloudWatch Logs is an issue of its own that is definitely beyond the scope of this document - but consider this as a potential limitation by AWS when trying to identify a remediation plan.</p>
<div id="triage-building-the-exclusions-file"> <h5>Building the Exclusions File</h5></div>

<p>After you have identified the False Positives, add the False Positive criteria to your custom Cloudsplaining exclusions file. The False Positives generally fall into one of two categories:
<div id="triage-guidance-considerations-pt3-bullet-points">
<ul>
  <li>False positives that will occur across all of your AWS accounts, due to your organization-wide implementation strategy</li>
  <li>False positives specific to this AWS account</li>
</ul>
</div></p>
<p>To make the exclusions file, create a YAML file that we will use to list out exclusions with the <code>create-exclusions-file</code> command.</p>
<pre><code class="bash">cloudsplaining create-exclusions-file
</code></pre>

<p>This will generate a file titled <code>exclusions.yml</code> in your current directory.</p>
<p>The default exclusions file contains these contents:</p>
<pre><code class="yaml"># Policy names to exclude from evaluation
# Suggestion: Add policies here that are known to be overly permissive by design, after you run the initial report.
policies:
  - &quot;AWSServiceRoleFor*&quot;
  - &quot;*ServiceRolePolicy&quot;
  - &quot;*ServiceLinkedRolePolicy&quot;
  - &quot;AdministratorAccess&quot; # Otherwise, this will take a long time
  - &quot;service-role*&quot;
  - &quot;aws-service-role*&quot;
# Don't evaluate these roles, users, or groups as part of the evaluation
roles:
  - &quot;service-role*&quot;
  - &quot;aws-service-role*&quot;
users:
  - &quot;&quot;
groups:
  - &quot;&quot;
# Read-only actions to include in the results, such as s3:GetObject
# By default, it includes Actions that could lead to Data Exfiltration
include-actions:
  - &quot;s3:GetObject&quot;
  - &quot;ssm:GetParameter&quot;
  - &quot;ssm:GetParameters&quot;
  - &quot;ssm:GetParametersByPath&quot;
  - &quot;secretsmanager:GetSecretValue&quot;
# Write actions to include from the results, such as kms:Decrypt
exclude-actions:
  - &quot;&quot;
</code></pre>

<p>Add whatever values you want to the above depending on your organization's context.
  * Under <code>policies</code>, list the path of policy names that you want to exclude.
  * If you want to exclude a role titled <code>MyRole</code>, list <code>MyRole</code> or <code>MyR*</code> in the <code>roles</code> list.
  * You can follow the same approach for <code>users</code> and <code>groups</code> list.</p>
<ul>
<li>Now, run the scan to generate a <em>new</em> Cloudsplaining report  that considers your exclusions criteria. This way, you are working with a report version that consists of True Positives only.</li>
</ul>
<pre><code class="bash">cloudsplaining scan --input default.json --exclusions-file exclusions.yml
</code></pre>

<p>You can now proceed to the Remediation stage.</p>
<br>
<br>

<!--Guidance: Remediation-->
<h3 id="remediation-guidance">Remediation</h3>
<p>
<div id="remediation-prioritization"> <h5>Prioritizing Remediation</h5></div>

<p>Depending on the existing workload of the engineering team addressing your concerns, the team might ask to address high priority items first rather than addressing all items, especially if the report is quite large. In this scenario, consider instructing the team to address High Priority Risks and the usage of AWS-Managed Policies first.</p>
<p><strong>High priority risks</strong>:</p>
<p>These include Privilege Escalation, Data Exfiltration, and Potential Resource Exposure/Permissions management. This report highlights each finding that has these high priority risks.</p>
<p><strong>Moving from AWS Managed Policies over to custom policies</strong>:</p>
<p>AWS managed policies always include access to <code>*</code> resources because AWS provides these same policies universally to all customer accounts. If this report flags  any AWS-managed policies, it means that the account/service owner team will not only have to implement resource constraints - they will have to create a custom IAM policy to do so. To limit this work, it is best to migrate away from the root cause of the problem - using AWS managed policies.</p>
<p>You can then queue the work for remediating the other Customer-managed policies that do not have the High-Priority Risks attributes. Implementing resource ARN constraints for True Positives is still important, since overly permissive "Write" actions can cause modification or deletion of AWS resources by a bad actor with compromised credentials, resulting in downtime.</p>
<div id="remediation-technical-remediation"> <h5>Remediating the Findings</h5></div>

<p>We suggest two options for remediating each finding:
<div id="remediation-guidance-pt2-bullet-points">
<ul>
  <li>Leveraging <a href="https://github.com/salesforce/policy_sentry/">Policy Sentry</a>, courtesy of <a href="https://twitter.com/kmcquade3">Kinnaird McQuade</a>, which generates policies with resource ARN constraints at user-specified access levels automagically.</li>
  <li>Manually rewriting the policies</li>
</ul>
</div></p>
<p><strong>Leveraging Policy Sentry</strong></p>
<p>For guidance on how to use Policy Sentry, please see the documentation <a href="https://github.com/salesforce/policy_sentry/#writing-secure-policies-based-on-resource-constraints-and-access-levels">here</a>. This is highly suggested - within 10 minutes of learning the tool, creating a secure IAM policy becomes a matter of:
<div id="remediation-guidance-pt2-bullet-points-2">
<ul>
  <li>Generating the YAML template with <code>policy_sentry create-template --output-file crud.yml --template-type crud</code></li>
  <li>Literally copying/pasting resource ARNs into the template</li>
  <li>Running <code>policy_sentry write-policy --input-file crud.yml</code></li>
</ul>
</div></p>
<p><strong>Manually rewriting the IAM Policies</strong></p>
<p>For guidance on how to write secure IAM Policies by hand, see the tutorial <a href="https://engineering.salesforce.com/salesforce-cloud-security-automating-least-privilege-in-aws-iam-with-policy-sentry-b04fe457b8dc#6997">here</a>. Just be aware - you'll spend a lot of time looking at the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html">AWS Documentation on IAM Actions, Resources, and Condition Keys</a>, which can become quite tedious and time-consuming.</p>
<br>
<br>

<!--Guidance: Validation-->
<h3 id="validation-guidance">Validation</h3>
<p>
<div id="validation-guidance-description"> <h5>Validating remediated policies</h5></div>

<p>After you've rewritten your IAM policy, we suggest two options for validating that it will pass Cloudsplaining and alleviate any remaining concerns:</p>
<div id="validation-guidance-pt1-bullet-points">
<ul>
  <li>Run Cloudsplaining's <code>scan-policy-file</code> command, which scans a single JSON policy file instead of the entire AWS Account's Authorization details. </li>
  <li>Leveraging <a href="https://github.com/duo-labs/parliament/">Parliament by Duo-Labs</a>, courtesy of <a href="https://twitter.com/0xdabbad00">Scott Piper</a></li>
</ul>
</div>

<div id="validation-using-cloudsplaining"> <h5>Using Cloudsplaining to Validate your Remediated Policies</h5></div>

<p>You can validate that your remediated policy passes Cloudsplaining by running the following command:</p>
<p><code>cloudsplaining scan-policy-file --input policy.json --exclusions-file exclusions.yml</code></p>
<p>When there are no more results, it passes!</p>
<div id="validation-using-parliament"> <h5>Using Parliament to Lint your Policies</h5></div>

<p>parliament is an AWS IAM linting library. It reviews policies looking for problems such as:</p>
<div id="validation-guidance-pt2-bullet-points">
<ul>
  <li>malformed JSON </li>
  <li>missing required elements</li>
  <li>incorrect service prefix and action names</li>
  <li>incorrect resources or conditions for the actions provided</li>
  <li>type mismatches</li>
  <li>bad policy patterns</li>
</ul>
</div>

<p>This library duplicates (and adds to!) much of the functionality in the web console page when reviewing IAM policies in the browser.</p>
<p>You can use Parliament to scan your IAM policy with the following command:</p>
<p><code>parliament --file policy.json</code></p>
<br>
<br>
</div>

        <!--Appendix-->
        <h3 id="appendices">Appendix</h3>
        <br>

        <!--Appendix subsection: Glossary-->
        <h4 id="glossary">Glossary</h4>
        <div id="definition-impact"><h6>Impact</h6></div>

<p>The impact the risk would have on an organization if such a vulnerability were successfully exploited is rated according to criteria listed below. Note that these ratings are based on NIST 800-30 impact definitions.</p>
<ul>
<li><strong>Critical</strong>: The issue causes multiple severe or catastrophic effects on operations, assets or other organizations.</li>
<li><strong>High</strong>: Causes produces severe degradation in mission capability to the point that the organization is not able to perform primary functions or results in damage to organizational assets.</li>
<li><strong>Medium</strong>: Trigger degradation in mission capability to an extent the application is able to perform its primary functions, but their effectiveness is reduced and there may be damage to the organization's assets.</li>
<li><strong>Low</strong>: Results in limited degradation in mission capability; the organization is able to perform its primary functions, but their effectiveness is noticeably reduced and may result in minor damage to the organization's assets.</li>
</ul>
<div id="definition-privilege-escalation"><h6>Privilege Escalation</h6></div>

<p>These policies allow a combination of IAM actions that allow a principal with these permissions to escalate their privileges - for example, by creating an access key for another IAM user, or modifying their own permissions. This research was pioneered by <a href="https://twitter.com/SpenGietz">Spencer Gietzen</a> at Rhino Security Labs. Remediation Guidance can be found <a href="https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/">here</a>.</p>
<div id="definition-resource-exposure"><h6>Resource Exposure</h6></div>

<p>Resource Exposure actions allow modification of Permissions to <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html">resource-based policies</a> or otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure - for example, the ability to modify <a href="https://docs.aws.amazon.com/ram/latest/userguide/what-is.html">AWS Resource Access Manager</a>.</p>
<div id="definition-infrastructure-modification"><h6>Infrastructure Modification</h6></div>

<p>Infrastructure Modification describes IAM actions with "modify" capabilities, and can therefore lead to <a href="https://attack.mitre.org/techniques/T1496/">Resource Hijacking</a>, unauthorized creation of Infrastructure, Backdoor creation, and/or modification of existing resources which can result in downtime.</p>
<div id="definition-data-exfiltration"><h6>Data Exfiltration</h6></div>

<p>Policies with Data leak potential allow certain read-only IAM actions without resource constraints, such as <code>s3:GetObject</code>, <code>ssm:GetParameter*</code>, or <code>secretsmanager:GetSecretValue</code>. Unrestricted <code>s3:GetObject</code> permissions has a long history of customer data leaks. <code>ssm:GetParameter*</code> and <code>secretsmanager:GetSecretValue</code> are both used to access secrets. <code>rds:CopyDBSnapshot</code> and <code>rds:CreateDBSnapshot</code> can be used to exfiltrate RDS database contents.</p>
<div id="definition-roles-assumable-by-compute-services"><h6>Roles Assumable by Compute Services</h6></div>

<p>IAM Roles can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda) can present greater risk than user-defined roles, especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute <a href="https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html">ssm:SendCommand</a> and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier.</p>
<div id="definition-trust-policy"><h6>Trust Policy</h6></div>

<p>A JSON policy document in which you define the principals that you trust to assume the role. A role trust policy is a required resource-based policy that is attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services.</p>
<p>This definition was taken from the AWS Documentation <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy">here</a>.</p>
<div id="definition-principal"><h6>Principal</h6></div>

<p>An entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role.</p>
<div id="definition-role"><h6>Role</h6></div>

<p>An IAM identity that you can create in your account that has specific permissions. An IAM role has some similarities to an IAM user. Roles and users are both AWS identities with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.</p>
<p>We are particularly interested in roles used for <strong>compute services</strong> - i.e., Compute Service Roles.</p>
<p>This definition was taken from the AWS Documentation <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role">here</a>.</p>
<div id="definition-managed-policy"><h6>Managed Policy</h6></div>

<p>There are two types of Managed Policies: AWS-managed policies and Customer-managed policies. They are described below.</p>
<p>Criteria for selecting Managed Policies versus Inline policies can be found in the AWS documentation <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline">here</a>.</p>
<div id="definition-customer-managed-policy"><h6>Customer-managed policy</h6></div>

<p>AWS documentation on Customer-managed policies can be found <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies">here</a>.</p>
<p>The following diagram illustrates customer managed policies. Each policy is an entity in IAM with its own Amazon Resource Name (ARN) that includes the policy name. Notice that the same policy can be attached to multiple principal entities—for example, the same DynamoDB-books-app policy is attached to two different IAM roles.</p>
<p><img alt="Customer-managed policy diagram" src="https://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-customer-managed-policies.diagram.png" /></p>
<div id="definition-aws-managed-policy"><h6>AWS-managed policy</h6></div>

<p>An AWS managed policy is a standalone policy that is created and administered by AWS. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy.</p>
<p>AWS documentation on AWS-managed policies can be found <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies">here</a>.</p>
<p>The following diagram (taken from the AWS documentation) illustrates AWS managed policies. The diagram shows three AWS managed policies: AdministratorAccess, PowerUserAccess, and AWSCloudTrailReadOnlyAccess. Notice that a single AWS managed policy can be attached to principal entities in different AWS accounts, and to different principal entities in a single AWS account.</p>
<p><img alt="AWS-managed policy diagram" src="https://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-aws-managed-policies.diagram.png" /></p>
<div id="definition-inline-policy"><h6>Inline Policy</h6></div>

<p>An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. You can create a policy and embed it in a identity, either when you create the identity or later.</p>
<p>AWS documentation on inline policies can be found <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies">here</a>.</p>
<p>The following diagram illustrates inline policies. Each policy is an inherent part of the user, group, or role. Notice that two roles include the same policy (the DynamoDB-books-app policy), but they are not sharing a single policy; each role has its own copy of the policy.</p>
<p><img alt="Inline policy diagram" src="https://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-inline-policies.diagram.png" /></p>
<p>Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.</p>
<br>

        <!--Appendix subsection: Exclusions configuration-->
        <h4 id="exclusions">Exclusions configuration</h4>
        <p>The Cloudsplaining exclusions configuration is shown below. You can leverage this to ensure reusability, for next time you run the scan.</p>
<pre><code>
</code>
exclude-actions:
- ''
groups:
- ''
include-actions:
- s3:GetObject
- ssm:GetParameter
- ssm:GetParameters
- ssm:GetParametersByPath
- secretsmanager:GetSecretValue
- rds:CopyDBSnapshot
- rds:CreateDBSnapshot
policies:
- AWSServiceRoleFor*
- '*ServiceRolePolicy'
- '*ServiceLinkedRolePolicy'
- AdministratorAccess
- service-role*
- aws-service-role*
- MyRole
roles:
- service-role*
- aws-service-role*
users:
- ''

</pre>

        <!--Appendix subsection: References-->
        <h4 id="references">References</h4>
        <ul>
  <li><a href="https://github.com/salesforce/policy_sentry/">Policy Sentry</a> by <a href="https://twitter.com/kmcquade3">Kinnaird McQuade</a> at Salesforce</li>
  <li><a href="https://github.com/duo-labs/parliament/">Parliament</a> by <a href="https://twitter.com/0xdabbad00">Scott Piper</a> at Duo Labs</li>
  <li><a href="https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation">AWS Privilege Escalation Methods</a> by <a href="https://twitter.com/SpenGietz">Spencer Gietzen</a> at Rhino Security Labs</li>
</ul>
<br>

        <hr>

        </div> <!-- /data-spy -->
      </div> <!-- /column containing all contents-->
    </div><!-- /row holding all contents-->
  </div><!-- /container -->
</div><!-- /row holding container holding all contents -->

<!-- JQuery-->
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<!--Popper-->
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>

<!--  Bootstrap-->
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"
        integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6"
        crossorigin="anonymous"></script>

<!--Data Tables-->
<script type="text/javascript" src="https://cdn.datatables.net/1.10.20/js/jquery.dataTables.min.js"></script>
<script type="text/javascript" src="https://cdn.datatables.net/buttons/1.6.2/js/dataTables.buttons.min.js"></script>
<script type="text/javascript" src="https://cdn.datatables.net/buttons/1.6.2/js/buttons.flash.min.js"></script>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jszip/3.1.3/jszip.min.js"></script>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/pdfmake/0.1.53/vfs_fonts.js"></script>
<script type="text/javascript" src="https://cdn.datatables.net/buttons/1.6.2/js/buttons.html5.min.js"></script>

<script type="text/javascript" src="https://cdn.datatables.net/buttons/1.6.2/js/buttons.print.min.js"></script>
<script type="text/javascript" src="https://cdn.datatables.net/select/1.3.1/js/dataTables.select.min.js"></script>

<!--<script>-->
<!--  $(document).ready(function() {-->
<!--    // $('#aws-managed-table').DataTable();-->
<!--    // $('#customer-managed-table').DataTable();-->
<!--    $('#principals-table').DataTable();-->
<!--} );-->
<!--</script>-->

<!--Customer Table: Filter by Column-->
<script>
$(document).ready(function() {
    // Setup - add a text input to each footer cell
    $('#customer-managed-table thead tr').clone(true).appendTo( '#customer-managed-table thead' );
    $('#customer-managed-table thead tr:eq(1) th').each( function (i) {
        // var title = $(this).text();
        $(this).html( '<input type="text" style="width: 70px" placeholder="Search"/>' );

        $( 'input', this ).on( 'keyup change', function () {
            if ( table.column(i).search() !== this.value ) {
                table
                    .column(i)
                    .search( this.value )
                    .draw();
            }
        } );
    } );

    var table = $('#customer-managed-table').DataTable( {
        dom: 'Bfrtip',
        buttons: [
            'copy',
            'csv',
            'excel',
              {
                  extend: 'print',
                  text: 'Print all',
                  exportOptions: {
                      modifier: {
                          selected: null
                      }
                  }
              },
              {
                  extend: 'print',
                  text: 'Print selected'
              }
        ],
        orderCellsTop: true,
        fixedHeader: true,
        columnDefs: [ {
            orderable: false,
            className: 'select-checkbox',
            targets:   0
        } ],
        select: {
            style:    'multi+shift',
            selector: 'td:first-child'
        },
        order: [[ 1, 'asc' ]]
    } );
} );
</script>

<!--AWS Table: Filter by Column-->
<script>
$(document).ready(function() {
    // Setup - add a text input to each footer cell
    $('#aws-managed-table thead tr').clone(true).appendTo( '#aws-managed-table thead' );
    $('#aws-managed-table thead tr:eq(1) th').each( function (i) {
        // var title = $(this).text();
        $(this).html( '<input type="text" style="width: 70px" placeholder="Search"/>' );

        $( 'input', this ).on( 'keyup change', function () {
            if ( table.column(i).search() !== this.value ) {
                table
                    .column(i)
                    .search( this.value )
                    .draw();
            }
        } );
    } );

    var table = $('#aws-managed-table').DataTable( {
        dom: 'Bfrtip',
        buttons: [
            'copy',
            'csv',
            'excel',
              {
                  extend: 'print',
                  text: 'Print all',
                  exportOptions: {
                      modifier: {
                          selected: null
                      }
                  }
              },
              {
                  extend: 'print',
                  text: 'Print selected'
              }
        ],
        orderCellsTop: true,
        fixedHeader: true,
        columnDefs: [ {
            orderable: false,
            className: 'select-checkbox',
            targets:   0
        } ],
        select: {
            style:    'multi+shift',
            selector: 'td:first-child'
        },
        order: [[ 1, 'asc' ]]
    } );
} );
</script>

<!--Principals Table: Filter by Column-->
<script>
$(document).ready(function() {
    // Setup - add a text input to each footer cell
    $('#principals-table thead tr').clone(true).appendTo( '#principals-table thead' );
    $('#principals-table thead tr:eq(1) th').each( function (i) {
        // var title = $(this).text();
        $(this).html( '<input type="text" style="width: 70px" placeholder="Search"/>' );

        $( 'input', this ).on( 'keyup change', function () {
            if ( table.column(i).search() !== this.value ) {
                table
                    .column(i)
                    .search( this.value )
                    .draw();
            }
        } );
    } );

    var table = $('#principals-table').DataTable( {
        dom: 'Bfrtip',
        buttons: [
            'copy',
            'csv',
            'excel',
              {
                  extend: 'print',
                  text: 'Print all',
                  exportOptions: {
                      modifier: {
                          selected: null
                      }
                  }
              },
              {
                  extend: 'print',
                  text: 'Print selected'
              }
        ],
        orderCellsTop: true,
        fixedHeader: true,
        columnDefs: [ {
            orderable: false,
            className: 'select-checkbox',
            targets:   0
        } ],
        select: {
            style:    'multi+shift',
            selector: 'td:first-child'
        },
        order: [[ 1, 'asc' ]]

    }
    );

} );
</script>

<!--Press Collapse/expand button so you can Ctrl+F through the report-->
<script type="text/javascript">
  $(function () {
    $('#collapseAccordion').on('click', function (e) {
      $('.panel-collapse').collapse('hide');
    })
    $('#expandAccordion').on('click', function (e) {
      $('.panel-collapse').collapse('show');
    })
  });
</script>

<!--Force first tab as active tab-->
<script type="text/javascript">
    $(document).ready(function(){
        $('.nav-tabs a[href="#nav-summary"]').tab('show');
    });
</script>
<!--When Summary Tab is clicked, switch to its tab and then scroll to the top-->
<script>
 $('#nav-summary-tab').click(function(){
    $('a[href="#nav-summary-tab"]').click();
    console.log($('a[href="#nav-summary-tab"]').text() + ' click triggered');
    $("html, body").animate({ scrollTop: 0 }, 600);
    $('.nav-tabs a[href="#nav-summary"]').tab('show');
    return false;
 });
</script>
<!--When Customer Managed Tab is clicked, switch to its tab and then scroll to the top-->
<script>
   $('#nav-customer-managed-tab').click(function(){
    $('a[href="#nav-customer-managed-tab"]').click();
    $('.nav-tabs a[href="#nav-customer-managed"]').tab('show');
    $("html, body").animate({ scrollTop: 0 }, 600);
    return false;
    console.log($('a[href="#nav-customer-managed-tab"]').text() + ' click triggered');
 });
</script>
<!--When AWS Managed Tab is clicked, switch to its tab and then scroll to the top-->
<script>
   $('#nav-aws-managed-tab').click(function(){
    $('a[href="#nav-aws-managed-tab"]').click();
    $('.nav-tabs a[href="#nav-aws-managed"]').tab('show');
    $("html, body").animate({ scrollTop: 0 }, 600);
    return false;
    console.log($('a[href="#nav-aws-managed-tab"]').text() + ' click triggered');
 });
</script>
<!--When IAM Principals Tab is clicked, switch to its tab and then scroll to the top-->
<script>
   $('#nav-principals-tab').click(function(){
    $('a[href="#nav-principals-tab"]').click();
    $('.nav-tabs a[href="#nav-principals"]').tab('show');
    $("html, body").animate({ scrollTop: 0 }, 600);
    return false;
    console.log($('a[href="#nav-principals-tab"]').text() + ' click triggered');
 });
</script>


</body>
</html>
